b'                                          UNCLASSIFIED\n\n\n\n\n\n                      United States Department of State\n\n                   and the Broadcasting Board of Governors\n\n                          Office of Inspector General\n\n\n                                       Office of Audits\n\n\n\n             Audit of the Process To Request and Prioritize \n\n          Physical Security-Related Activities at Overseas Posts\n\n\n\n                                         AUD-FM-14-17\n\n                                          March 2014\n\n\n\n\n\n                                            Important Notice \xe2\x80\x94\nThis report is intended solely for the official use of the Department of State or the Broadcasting Board of\nGovernors or any agency or organization receiving a copy directly from the Office of Inspector\nGeneral. No secondary distribution may be made, in whole or in part, outside the Department of State\nor the Broadcasting Board of Governors, by them or by other agencies or organizations, without prior\nauthorization by the Inspector General. Public availability of the document will be determined by the\nInspector General under the U.S. Code, 5 U.S.C. \xc2\xa7 552.\n\n\n\n\n                                          UNCLASSIFIED\n\n\x0c                                        UNCLASSIFIED \n\n\n                                                        L nil ed States Department of State\n                                                        a nd the Broadcasting Board of Governors\n\n                                                        Office of [".,p pctor Gen e,.al\n\n\n                                            PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 ofthe Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office ofInspector\nGeneral\'s (OlG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n       This report addresses the Department of State\'s process for requesting and prioritizing\nphysical security-related activities at overseas posts. The report is based on interviews with\nemployees and officials of relevant agencies and institutions, direct observation, and a review of\napplicable documents.\n\n       OlG contracted with the indepeodent public accountant Kearney & Company, P.c.\n(Kearney), to perform this audit. The contract required that Kearney perform its audit in\naccordance with guidance contained in the Government Auditing Standards, issued by the\nComptroller General of the United States. Kearney \' s report is included.\n\n        Kemney identified four areas in which improvements could be made: developing and\nimplementing standard policies and procedures for requesting funds and responding to posts\'\nrequests; collecting and maintaining a comprehen sive list of all posts\' physical security\ndeficiencies; developing and implementing formal, standardized processes to prioritize physical\nsecurity deficiencies; and better defining the roles of Department bureaus in these processes.\n\n        OIG evaluated the nature, extent, and timing of Kearney\'s work; monitored progress\nthroughout the audit; reviewed Kearney\'s supporting documentation; evaluated key judgments;\nand performed other procedures as appropriate. The recommendations contained in the report\nwere developed on the basis of the best knowledge available and were discussed in draft form\nwith those individual s responsible for implementation. OlG\'s analysis of management\'s\nresponse to the recommendations has been incorporated into the report. OIG trusts that this\nreport will result in more effective, efficient, and/or economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n\n                                        Norman P. Brown\n                                        Assistant Inspector General for Audits\n\n\n\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n\n                                                        1701 Duke Street, Suite 500, Alexandria, VA 22314\n                                                        PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com\n\n\nAudit of the Process to Request and Prioritize Physical Security-Related Activities\nat Overseas Posts\n\n\n\nOffice of Inspector General\nU.S. Department of State\nWashington, D.C.\n\nKearney & Company, P.C. (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this letter), has performed an audit of the\nDepartment of State\xe2\x80\x99s process to request and prioritize physical security-related activities at\noverseas posts. This performance audit, performed under Contract No. SAQMMA09D0002, was\ndesigned to meet the objective identified in the report section titled \xe2\x80\x9cObjective\xe2\x80\x9d and further\ndefined in Appendix A, \xe2\x80\x9cScope and Methodology,\xe2\x80\x9d of the report.\n\nWe conducted this performance audit in accordance with Government Auditing Standards, issued\nby the Comptroller General of the United States. We communicated the results of our\nperformance audit and the related findings and recommendations to the U.S. Department of State\nOffice of Inspector General.\n\nWe appreciate the cooperation provided by personnel in Department offices during the audit.\n\n\n\n\nKearney & Company, P.C.\nAlexandria, Virginia\nMarch 6, 2014\n\n\n\n\n                                       UNCLASSIFIED\n\n\n\x0c                          UNCLASSIFIED\n\n\n\n\n\nAcronyms\nBMIS       Buildings Management Integrated System\nD&CP       Diplomatic and Consular Programs\nDS         Bureau of Diplomatic Security\nESCM       Embassy, Security, Construction, and Maintenance\nFE/BR      forced-entry/ballistic-resistant\nFAH        Foreign Affairs Handbook\nFAM        Foreign Affairs Manual\nGAO        Government Accountability Office\nGFMS       Global Financial Management System\nNEC        new embassy compound\nOBO        Bureau of Overseas Buildings Operations\nOSPB       Overseas Security Policy Board\nR&I        Repair and Improvement\nRSO        Regional Security Officer\nSECCA      Secure Embassy Construction and Counterterrorism Act of 1999\nSERM       Security Equipment Responsibilities Matrix\nSETL       Security Environment Threat List\n\n\n\n\n                          UNCLASSIFIED\n\n\n\x0c                                                           UNCLASSIFIED\n\n\n\n                                                        Table of Contents\n\n\nExecutive Summary.............................................................................................................1 \n\n\nBackground ..........................................................................................................................2 \n\n\nObjectives ............................................................................................................................7 \n\n\nAudit Results........................................................................................................................8 \n\n   Finding A. Not All FY 2012 Physical Security Funding and Expenditures\n\n\n                Could Be Identified.....................................................................................8 \n\n   Finding B. Processes To Request Funds for Physical Security Needs Could Be \n\n                Improved ...................................................................................................14 \n\n   Finding C. Department Did Not Have Information To Ensure Highest Priority\n\n\n                Physical Security Needs Were Funded .....................................................23 \n\n\nList of Recommendations\xe2\x80\xa6\xe2\x80\xa6. .........................................................................................39 \n\n\nAppendices\n   A. Scope and Methodology ........................................................................................41 \n\n   B. Office of Inspector General \xe2\x80\x93 Physical-Security Funding Questionnaire .............45 \n\n   C. Bureau of Diplomatic Security Response ..............................................................53 \n\n   D. Bureau of Overseas Buildings Operations Response.............................................59 \n\n\n\n\n\n                                                           UNCLASSIFIED\n\n\n\x0c                                       UNCLASSIFIED\n\n\n\n\n\n\n                                    Executive Summary\n        Overseas embassies have long been a target of attacks against the United States. The\nDepartment of State (Department) has more than 4,500 Government-owned or long-term leased\nresidential and non-residential buildings in more than 280 overseas locations. Over 86,000 U.S.\nGovernment employees from more than 30 agencies work or live in these facilities. The\nprotection of these employees is the responsibility of the Secretary of State. A fundamental\ncomponent of protecting U.S. Government employees is maintaining sufficient physical security\nat overseas facilities. The Department\xe2\x80\x99s Bureau of Diplomatic Security (DS) and Bureau of\nOverseas Buildings Operations (OBO) share responsibility for ensuring that overseas facilities\nare safe and secure.\n\n        The objectives of this audit were to identify the FY 2012 funding mechanisms and\namounts expended for physical security-related activities at Department-owned or\nDepartment-operated buildings overseas, determine whether the process for posts to request\nfunds for physical security needs was easy to use and was understood by post security officials,\nand determine to what extent the Department used physical security funds for high-priority\nphysical security needs at overseas posts during FY 2012. An external audit firm, Kearney &\nCompany, P.C. (Kearney), acting on behalf of the Office of Inspector General (OIG), performed\nthis audit.\n\n         Kearney found that the Department funded its FY 2012 physical security-related\nactivities at overseas Department facilities primarily with funds received for Worldwide Security\nUpgrades, which amounted to $775 million in FY 2012. The Department also received\n$511.4 million from other agencies at overseas posts through cost-sharing agreements. In\naddition, the Department can use other appropriated funds for physical security needs, including\nfunds received for Repair and Construction, Overseas Contingency Operations, and Worldwide\nSecurity Protection. Kearney identified physical security-related expenditures amounting to\n$76.1 million for Worldwide Security Upgrades and $48 million for Worldwide Security\nProtection. However, Kearney could not identify all FY 2012 Department expenditures for\nphysical security-related activities overseas because the Department did not, and was not\nrequired to, discretely track all physical security expenditures.\n\n        Kearney found that the majority of post security officials responding to an OIG\nquestionnaire believed that the processes to request funds for physical security-related needs\nwere clear and easy to use. However, a significant number of post security officials believed the\nprocesses were unclear and difficult and expressed dissatisfaction with the timeliness or\nsufficiency of the responses received to their formal requests for physical security funding. The\nlack of understanding, perceived complexity of the processes, and dissatisfaction with responses\nto requests occurred because the Department had not developed standardized and documented\npolicies and procedures for the processes to request funds for the majority of physical\nsecurity-related needs. In addition, some post security officials indicated that the training\nprovided for requesting funds was inadequate. The lack of standard documented policies and\n\n                                            1\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\nprocedures may result in post physical security needs not being addressed adequately or\npromptly.\n\n         Kearney could not determine the extent to which the Department used physical security\nfunds for high-priority physical security needs at overseas posts during FY 2012 because the\nDepartment did not have complete information to prioritize post physical security needs.\nSpecifically, DS did not have a comprehensive list of physical security deficiencies at all\noverseas posts, and neither DS nor OBO maintained a list of posts\xe2\x80\x99 FY 2012 requests for\nphysical security funding and the disposition of those requests. In addition, neither DS nor OBO\nhad formal processes to prioritize physical security needs; funding decisions were often made by\none individual without documented standards and guidance. Further, DS and OBO did not have\nsufficient formal processes for coordinating the establishment of standards to help determine\npriorities and facilitate agreement on funding decisions. Nor had DS and OBO prepared a\ncomprehensive long-range physical security plan that would help focus attention on critical\nneeds. As a result, the Department could not ensure that the highest priority physical\nsecurity-related needs at overseas posts were corrected and that posts\xe2\x80\x99 vulnerability to threats had\nbeen sufficiently reduced.\n\n        OIG made 10 recommendations to the Department related to developing and\nimplementing standard policies and procedures for requesting funds and responding to posts\xe2\x80\x99\nrequests; collecting and maintaining a comprehensive list of all posts\xe2\x80\x99 physical security\ndeficiencies; developing and implementing formal, standardized processes to prioritize physical\nsecurity deficiencies; and better defining the roles and responsibilities of DS and OBO in these\nprocesses.\n\n        In its February 21, 2014, response (see Appendix C) to the draft report, DS concurred\nwith the six recommendations addressed to it. In its February 19, 2014, response (see Appendix\nD) to the draft report, OBO concurred with three recommendations and did not concur with one\nrecommendation addressed to it. Based on the comments received, OIG considers six of the 10\nrecommendations resolved, pending further action, and four recommendations unresolved.\nManagement\xe2\x80\x99s responses and OIG\xe2\x80\x99s replies to those responses are included after each\nrecommendation.\n\n                                          Background\n       Embassies have long been the target of terrorist attacks against the United States\noverseas. Since 1993, there have been more than 20 attacks on U.S. diplomatic facilities,\nincluding the deadly car bombings in Tanzania and Kenya and the assault on the U.S. Mission in\nBenghazi, Libya. In August 2013, the threat of violence closed embassies in more than 10\ncountries for several days.\n\n        The Department has more than 4,500 Government-owned or long-term leased residential\nand non-residential buildings in more than 280 overseas locations. Over 86,000 U.S.\nGovernment employees from more than 30 agencies, including the Department, the U.S. Agency\nfor International Development, the U.S. Department of Agriculture, and the Department of\nCommerce, work or live in these facilities. The protection of these employees is the\n                                                2\n                                       UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\n\n\nresponsibility of the Secretary of State, as designated under the Omnibus Diplomatic Security\nand Antiterrorism Act of 1986, as amended.\n\n         A fundamental component of protecting U.S. Government employees is maintaining\nsufficient physical security1 at overseas facilities. Physical security relates to physical\nmeasures\xe2\x80\x94such as locked doors, perimeter fences, and other barriers\xe2\x80\x94designed to protect\nfacilities against access by unauthorized personnel (including attacks or intruders) and to\nsafeguard personnel working in those facilities.\n\n       The average age of the Department\xe2\x80\x99s overseas buildings exceeds 40 years. After the\nbombings of the U.S. embassies in 1998, the Department determined that \xe2\x80\x9c195 (80 percent) of its\noverseas facilities did not meet security standards and should be replaced.\xe2\x80\x9d 2 The Department\nreported that as of February 2012, it had completed 98 new facilities and was continuing to\nmanage the ongoing construction or design of 43 facilities.\n\nPhysical Security-Related Legislation and Directives\n\n        Over the past several decades, legislation and Presidential Directives have been\nimplemented to help ensure the security of U.S. diplomatic facilities and U.S. personnel on\nofficial duty abroad. Those addressing physical security include the Omnibus Diplomatic\nSecurity and Antiterrorism Act of 1986, the Secure Embassy Construction and Counterterrorism\nAct of 1999 (SECCA), and Presidential Decision Directive/NSC-29. 3\n\n         Omnibus Diplomatic Security and Antiterrorism Act of 1986\n\n        Under Section 103(a) of the Omnibus Diplomatic Security and Antiterrorism Act of\n1986, as amended, the Secretary of State must develop and implement, in consultation with the\nheads of other Federal agencies having personnel or missions abroad, policies and programs to\nprovide for the security of U.S. Government operations of a diplomatic nature. These policies\nand programs must include, among other things, protection of all U.S. Government personnel on\nofficial duty abroad and their accompanying dependents, and establishment and operation of\nsecurity functions at all U.S. Government missions abroad. 4 In addition, Section 301 of the Act\nrequires the Secretary of State to convene an Accountability Review Board whenever there is\nserious injury, loss of life, or significant destruction of property at or related to a U.S. mission\nabroad.\n\n\n\n\n1 Closely related to physical security are the technical security safeguards required to protect certain facilities\n\n\nagainst intelligence collection or observation and procedural security to monitor and control physical access to\n\n\nfacilities. Technical security involves measures such as metal detectors, x-ray machines, alarm systems, and bomb\n\n\ndetection devices. Procedural security includes functions such as guard services, including marine guards.\n\n\n2 Congressional Budget Justification, Volume 1: Department of State Operations, Fiscal Year 2014, p. 393.\n\n\n3 Security Policy Coordination, Sept. 1994.\n\n\n4 The Secretary of State\xe2\x80\x99s security responsibilities under this act do not apply to personnel or facilities under the\n\n\ncommand or control of a U.S. area military commander.\n\n\n                                                     3\n                                                UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n\n        Secure Embassy Construction and Counterterrorism Act\n\n         As a result of the 1998 attacks on the U.S. Embassies in Nairobi, Kenya, and Dar es\nSalaam, Tanzania, and the findings of the Accountability Review Boards convened as a result of\nthose attacks, Congress passed SECCA. SECCA established certain statutory security\nrequirements for U.S. diplomatic facilities. Specifically, SECCA required that the Department\nimplement an emergency action plan for overseas posts and provide crisis management and other\nsecurity-related training to Department personnel. In addition, SECCA required the Department,\nwhen it selected a site for any new U.S. diplomatic facility abroad, to collocate all U.S.\nGovernment personnel (except for those under the command of an area military commander) on\nthe site and to ensure the buildings would be located at least 100 feet from the perimeter of the\nproperty.\n\n        Presidential Decision Directive/NSC-29\n\n       In September 1994, the President transferred the functions of the Department\xe2\x80\x99s Overseas\nSecurity Policy Group to the Overseas Security Policy Board (OSPB) under the Assistant to the\nPresident for National Security Affairs. Chaired by the Assistant Secretary for DS, OSPB\xe2\x80\x99s\nmembers include directors of the foreign affairs and intelligence agencies represented at U.S.\nmissions abroad. The OSPB is responsible for implementing requirements from the Omnibus\nDiplomatic Security and Antiterrorism Act and SECCA. The OSPB considers, develops,\ncoordinates, and promotes policies, standards, and agreements on overseas security operations,\nprograms, and projects that affect all U.S. Government agencies under the authority of a Chief of\nMission. 5\n\nDepartment Bureaus and Offices With Security-Related Responsibilities\n\n        Two Department bureaus share the responsibility for ensuring that the Department\xe2\x80\x99s\noverseas facilities are safe and secure: DS and OBO. The Foreign Affairs Manual (FAM)\nassigns DS the responsibility for ensuring that all new construction and major renovation design\nplans for buildings occupied by U.S. Government personnel comply with physical security\nstandards established by SECCA and OSPB. The FAM assigns OBO the responsibility for\nincorporating physical security standards into the Department\xe2\x80\x99s building projects. 6\n\n        Bureau of Diplomatic Security\n\n       DS is responsible for providing a safe and secure environment for the conduct of U.S.\nforeign policy. DS also protects people, property, and information at the Department\xe2\x80\x99s missions\nworldwide. Every diplomatic mission in the world operates under a security program designed\nand maintained by DS.\n\n\n\n5 In each embassy, the Chief of Mission (usually an Ambassador) is responsible for executing U.S. foreign policy\n\n\ngoals and for coordinating and managing all U.S. Government functions in the host country.\n\n\n6 12 FAM 312, \xe2\x80\x9cProgram Management Responsibilities.\xe2\x80\x9d\n\n\n\n                                                    4\n                                               UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n        Several offices within DS have responsibilities relating to physical security. Three\noffices with a significant level of involvement in physical security-related issues are the\nInternational Programs Directorate, the Office of Physical Security Programs, and the Threat\nInvestigations and Analysis Directorate.\n\n        International Programs Directorate/High Threat Programs Directorate. The\nmission of these directorates is to provide leadership, support, and oversight of overseas security\nand law enforcement programs and related policy for the benefit of U.S. Government interests\nand the international community. The Directorate\xe2\x80\x99s Office of Regional Directors works to\nprovide a safe and secure environment for the conduct of U.S. foreign policy through the\noversight and support of Regional Security Offices worldwide. The Office of Regional Directors\noversees the work of over 700 Regional Security Officers (RSO) at over 250 posts worldwide.\nRSOs serve as personal security advisors to the Chiefs of Mission on all security issues. RSOs\nare responsible for implementing and managing the Department\xe2\x80\x99s security and law enforcement\nprograms abroad, and they identify security needs at posts and request funds for those needs.\nRSOs are residents at a particular post, but they may be responsible for other constituent posts\nwithin their respective region.\n\n       Office of Physical Security Programs. The Office of Physical Security Programs,\nwhich is under the purview of DS\xe2\x80\x99 Countermeasures Directorate, directs and develops worldwide\nphysical security standards, policies, procedures, and guidelines. The Office\xe2\x80\x99s Physical Security\nDivision provides oversight for new construction and major renovation projects abroad by\nensuring conformance with OSPB-approved security standards.\n\n        Within the Physical Security Division, the Project Coordination Branch evaluates\nprojects to ensure the proper application of physical security standards in the selection, design,\nconstruction, and modification of facilities abroad. The goal of the physical security program is\nto provide a safe and secure physical security environment at overseas diplomatic posts for the\nprotection of U.S. Government personnel, facilities, and classified information under the\nauthority of the Chief of Mission. The Project Coordination Branch uses OSPB-approved\nphysical security standards and the statutory requirements contained in SECCA to achieve this\ngoal. In addition, the New Office Building Branch provides project oversight to ensure that\nOSPB standards and SECCA requirements are implemented for new office buildings abroad.\n\n         Desk Officers in the Project Coordination Branch provide post management and RSOs\nwith subject matter guidance and assistance. Desk Officers serve as the RSOs\xe2\x80\x99 points of contact\nfor all physical security matters. Specifically, Desk Officers work closely with RSOs to ensure\nthat RSOs\xe2\x80\x99 requests for physical security upgrades, waivers to SECCA, or exceptions to OSPB\nstandards have merit, are accurate, are complete, are coordinated with OBO, and are tracked to\nconclusion.\n\n       Threat Investigations and Analysis Directorate. The Threat Investigations and\nAnalysis Directorate is the primary DS organization that gathers, analyzes, investigates, and\ndisseminates threat information to protect American interests worldwide. The Directorate\xe2\x80\x99s\nOffice of Intelligence and Threat Analysis ensures that timely intelligence information is made\navailable to DS officers, both domestically and overseas. The Office of Intelligence and Threat\n                                                5\n                                        UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n\n\n\nAnalysis also prepares annually the Security Environment Threat List (SETL), which categorizes\nthreats at posts overseas into five threat categories with four levels\xe2\x80\x94critical, high, medium, or\nlow. The OSPB physical security standards applied to an overseas facility 7 correspond with the\nSETL threat level identified for that post.\n\n           Bureau of Overseas Buildings Operations\n\n        OBO is responsible for incorporating physical security standards, including SECCA and\nOSPB requirements, into building projects. OBO formulates and directs the implementation of\nbuilding policies to provide safe, secure, and functional facilities overseas. Additionally, OBO\ndetermines priorities for the design, construction, acquisition, maintenance, utilization, and sale\nof real properties.\n\n       OBO offices primarily involved with physical security-related issues include the Offices\nof Security Management, Operations, and Design and Engineering.\n\n        Office of Security Management. The Office of Security Management, within OBO\xe2\x80\x99s\nConstruction, Facilities and Security Management Directorate, allocates the majority of the\nfunding for physical security activities overseas. The Office of Security Management\xe2\x80\x99s mission\nis to ensure that all appropriate physical, technical, and procedural security measures are\nincorporated into every OBO project design for U.S. diplomatic facilities and to manage\nconstruction security programs that prevent physical and technical penetration and safeguard\nagainst mob violence and terrorist attacks. The Office of Security Management directs and\nmonitors adherence to physical and technical security policies and standards for new office\nbuildings, major renovations, and other upgrade projects for facilities abroad to protect against\nphysical or technical compromise during construction.\n\n       Within the Office of Security Management\xe2\x80\x99s Security Operations Division, the Program\nSecurity Operations Branch is responsible for the compound security program. This branch\ncontrols the funding for physical security upgrades of existing facilities. The Program Security\nOperations Branch manages major upgrades, which are large-scale, multimillion-dollar projects.\nMinor projects, such as installing bollards and window grills, are usually managed by posts, with\nthe Program Security Operations Branch providing design expertise and some assistance.\n\n        Office of Operations. The Office of Operations mission is to serve as overseas posts\'\npoint of contact within OBO. Within the Office of Operations, the Area Management Division\nprovides customer service support to posts and acts as a liaison between posts and OBO,\nexplaining posts\xe2\x80\x99 needs and limitations to OBO and OBO\'s policies and procedures to posts.\nPosts\xe2\x80\x99 Repair and Improvement (R&I) projects are managed by the Area Management Division.\n\n       Office of Design and Engineering. The Office of Design and Engineering, under\nOBO\xe2\x80\x99s Program Development, Coordination and Support Directorate, provides design, research,\nand technical assistance bureau-wide for all Department facilities overseas. The Office of\nDesign and Engineering\xe2\x80\x99s Mechanical Engineering Division is responsible for establishing\n\n7   The OSPB standards provide requirements for eight types of facilities.\n                                                      6\n                                                 UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n\nU.S. Government requirements for environmental security for overseas buildings, including\nchanceries, office annexes, consulates, residences, Marine Security Guard quarters, warehouses,\nand compound access control facilities. The Mechanical Engineering Division establishes\ncriteria for plans, designs, specifications, and analysis in new construction and in retrofits and\nupgrades of existing overseas buildings.\n\n        Overseas Security Policy Board\n\n        OSPB working groups develop security standards for threat categories. These standards\ncover topics that include Construction Security, Construction Materials and Transit Security\nDesign and Construction of Controlled Access Areas, Physical Security of Unclassified\nWarehouses, and Physical Security. 8 For physical security, OSPB develops standards on items\nsuch as the height of perimeter walls, the number of minutes of protection for\nforced-entry/ballistic-resistant (FE/BR) doors, and the distance for building setbacks.\n\nPrior OIG Reports\n\n        OIG issued a number of audit and inspection reports related to physical security issues at\noverseas posts. For example, in its reports Audit of Department of State Compliance With\nPhysical/Procedures Security Standards at Selected High Threat Level Posts 9 and Audit of\nDepartment of State Compliance With Physical Security Standards at Selected Posts Within the\nBureau of African Affairs, 10 OIG\xe2\x80\x99s Office of Audits found that posts were not always in\ncompliance with current physical security standards and that common physical and procedural\nsecurity deficiencies occurred among the posts included in the audits. In addition, in the report\nReview of Overseas Security Policy Board Exceptions and Security Embassy Construction and\nCounterterrorism Act of 1999 Waivers, 11 the Office of Inspections reported that DS had not\nadequately tracked exceptions granted to the OSPB physical security standards or SECCA\nwaivers of collocation and setback.\n\n                                             Objectives\n        The objectives of this audit were the following:\n\n        \xe2\x80\xa2\t\t To identify the FY 2012 funding mechanisms and amounts expended for physical\n            security-related activities at Department-owned or -operated buildings overseas.\n        \xe2\x80\xa2\t\t To determine whether the process for posts to request funds for physical security\n            needs at Department-owned or -operated buildings was easy to use and was\n            understood by post security officials.\n        \xe2\x80\xa2\t\t To determine to what extent the Department used physical security funds for high-\n            priority physical security needs at overseas posts during FY 2012.\n\n\n8 12 FAM 314, \xe2\x80\x9cOSPB Security Standards.\xe2\x80\x9d\n9 AUD-SI-13-32,   Jun. 2013.\n10 AUD-HCI-13-40, Sept. 2013.\n11 ISP-I-13-06, Jan. 2013.\n\n                                                7\n                                           UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\n\n\n                                                 Audit Results\n\n\n\nFinding A. Not All FY 2012 Physical Security Funding and Expenditures\nCould Be Identified\n        The Department funded its FY 2012 physical security-related activities at\nDepartment-owned or -operated buildings overseas primarily with funds received for Worldwide\nSecurity Upgrades in the Department\xe2\x80\x99s Embassy, Security, Construction, and Maintenance\n(ESCM) appropriation. These funds, amounting to $775 million in FY 2012, supported OBO\xe2\x80\x99s\nCompound Security Program, Capital Security Construction Program, and Maintenance Cost\nSharing Program. The Department also received $511.4 million for the Capital Security\nConstruction and Maintenance Cost Sharing Programs from other agencies at overseas posts\nthrough cost-sharing agreements. In addition, although not provided specifically for physical\nsecurity, other funds may have been used for physical security needs in FY 2012, including\nfunds received by OBO for Repair and Construction and Overseas Contingency Operations, as\nwell as funds received by DS for Worldwide Security Protection.\n\n         Kearney could not identify all Department expenditures for physical security-related\nactivities overseas because the Department did not, and was not required to, discretely track all\nphysical security expenditures. The Department used various accounting codes to classify and\naccount for its financial transactions. For example, function codes 12 were used to show the\npurpose of and to account for expenditures and program costs. The Department had established\nspecific physical security-related function codes for Compound Security Program expenditures\nand other function codes for non-residential and residential physical security expenditures.\nHowever, not all physical security-related activities had discrete function codes. For example,\nOBO expended approximately $938 million of Worldwide Security Upgrades funds in FY 2012,\nbut only $76.1 million of that amount, which was expended through the Compound Security\nProgram, was recorded with physical security-related function codes and could be directly\nattributed to physical security activities. 13 (The methodology used to identify physical security-\nrelated transactions is described in Appendix A.) OBO expenditures from other Worldwide\nSecurity Upgrades programs, as well as expenditures from Repair and Construction and\nOverseas Contingency Operations funds, were recorded with non-physical security-related\nfunction codes and could not be directly attributed to physical security activities. In addition to\nthe Compound Security Program expenditures of $76.1 million, Kearney identified DS\nexpenditures amounting to approximately $48 million from Worldwide Security Protection funds\nfor non-residential physical security.\n\n\n\n\n124 FAH-1 H-500, \xe2\x80\x9cFunction Classification Structure.\xe2\x80\x9d\n\n\n13Kearney did not test expenditures as part of this audit. Although Kearney could not directly attribute all \n\nWorldwide Security Upgrades expenditures to physical security activities based on the accounting codes used,\n\n\nnothing came to Kearney\xe2\x80\x99s attention within the limited scope of its analysis of expenditures that would indicate the\n\n\nexpenditures were not appropriate.\n\n\n                                                     8\n                                                UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\nWorldwide Security Upgrades\n\n        The Department\xe2\x80\x99s FY 2012 ESCM appropriation contained $775 million in funding for\nworldwide security upgrades, acquisition, and construction. This funding supported three OBO\nPrograms: Compound Security, Capital Security Construction, and Maintenance Cost Sharing.\nIn addition, other agencies provided a total of $511.4 million for the Capital Security\nConstruction and Maintenance Cost Sharing Programs.\n\n        OBO expended approximately $938 million of Worldwide Security Upgrades funds in\nFY 2012. However, only $76.1 million of that amount, which was expended for the Compound\nSecurity Program, could be directly attributed to physical security activities. Kearney could not\nidentify the physical security expenditures for the Capital Security Construction and\nMaintenance Cost Sharing Programs by the function codes used.\n\n       Compound Security Program\n\n         The Department received $85 million in FY 2012 for the Compound Security Program.\nThis program funded physical security upgrades at long-term leased and Government-owned\nfacilities, including comprehensive security upgrade projects, major FE/BR resistant door and\nwindow replacement projects, chemical/biological projects, emergency egress projects, and\nsecurity upgrades for soft targets. The program also funded the design and construction of\ncompound access controls, replacement of shatter-resistant window film, replacement of active\nand passive vehicle barriers, and other physical security measures.\n\n        During FY 2012, OBO expended approximately $76.1 million of Compound Security\nProgram funds specifically for physical security-related projects. Approximately 44 percent, or\n$33.3 million, of the expenditures were associated with comprehensive major compound security\nupgrades. For example, OBO expended funds for newly initiated comprehensive physical\nsecurity upgrade projects at four posts and for over 20 projects that had been initiated in prior\nyears. An additional 19 percent of the funds, or $14.5 million, were spent for the installation or\nlifecycle replacement of major FE/BR doors and windows, including new projects at 10 posts,\nnearly a dozen projects that were initiated in prior years, and the planning and design of future\nprojects for five posts.\n\n       In addition to the major compound physical security upgrades and FE/BR projects, OBO\nexpended approximately $2.4 million for physical security-related projects, including one major\nemergency egress project, in response to riots and attacks that occurred at some posts. OBO also\nexpended about $7.3 million for minor physical security upgrade projects, primarily related to\nthe improvement of perimeter security, such as the construction of mantraps and gates and\nupgrades to perimeter walls and fences, at dozens of posts. Further, expenditures of\napproximately $7.1 million for environmental security included the installation of off-compound\nmail screening facilities at 26 posts. All FY 2012 Compound Security Program expenditures by\nfunction code are summarized in Table 1.\n\n\n\n                                            9\n                                       UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\n         Table 1. FY 2012 Compound Security Program Expenditures\n          Function Code                                   Description                                     Amount\n          7941                  Minor Physical Security Upgrades                                           $7,269,196\n          7943                  Major FE/BR Doors and Windows                                              14,514,437\n          7944                  Environmental Security                                                      7,054,265\n          7945                  Major Compound Physical Security Upgrades                                  33,301,229\n          7946                  Minor FE/BR Doors and Windows                                               4,669,274\n          7947                  Emergency Fire and Egress                                                   2,389,973\n          794X                  Other                                                                       6,890,508\n          Total                                                                                           $76,088,882\n         Source: Prepared by Kearney based on its analysis of FY 2012 expense transactions in the Department\xe2\x80\x99s financial\n         accounting system.\n\n         Capital Security Construction Program\n\n        The Department received $579.2 million in FY 2012 to fund the Capital Security\nConstruction Program. In addition, other agencies with overseas staff under Chief of Mission\nauthority contributed $429.1 million to the Capital Security Construction Program through the\nCapital Security Cost Sharing Program. 14 This funding, totaling $1 billion in FY 2012,\nsupported the planning, design, and construction of new embassy compounds (NEC) and other\ncapital projects to replace existing facilities.\n\n       During FY 2012, OBO expended $820 million of Capital Security Construction Program\nfunds. These funds were used to complete projects at nine overseas posts, including Kyiv,\nUkraine; Monrovia, Liberia; and Mumbai, India. The funds were also used to manage the\nongoing design and construction of 43 facilities, including NECs and other capital projects at\nCotonou, Benin; Jakarta, Indonesia; Jeddah, Saudi Arabia; Taipei, Taiwan; and Mbabane,\nSwaziland.\n\n       Construction expenditures amounted to approximately $616 million and accounted for\n75 percent of the total expenditures. Other significant expenditures were for project supervision\n(about $42.7 million, or 5 percent), the acquisition of unimproved land (about $39.3 million, or\n5 percent), and onsite security at construction projects (about $30.6 million, or 4 percent).\nFY 2012 program expenditures by function code are summarized in Table 2.\n\n\n\n\n14The Capital Security Cost Sharing Program requires that all affected agencies at overseas posts pay a\nproportionate share toward the construction of secure facilities. Other agencies\xe2\x80\x99 shares are based upon their total\nnumber of existing and projected authorized positions overseas.\n                                                       10\n                                                  UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\n         Table 2. FY 2012 Capital Security Construction Program Expenditures\n          Function Code                                   Description                                     Amount\n          7110                  Unimproved Land                                                           $39,293,476\n          7111                  Design/Development                                                         16,528,185\n          7112                  Construction                                                              616,249,866\n          7113                  Site Maintenance and Development Plan                                       8,885,265\n          713X                  Furnishings                                                                18,002,215\n          7141                  Project Supervision Capital Projects                                       42,661,309\n          7142                  Construction Security Site Operations                                      30,621,695\n          7143                  Construction Surveillance/Guards                                           18,596,348\n          7144                  Other Construction Security Program                                         3,257,902\n          7531                  Planning & Development Program Support                                     24,602,703\n          7541                  Real Estate Program Costs                                                   1,337,708\n          Total                                                                                          $820,036,672\n         Source: Prepared by Kearney based on its analysis of FY 2012 expense transactions in the Department\xe2\x80\x99s financial\n         accounting system.\n\n       Kearney was unable to determine the amount of Capital Security Construction Program\nfunds spent specifically for physical security-related items by the function codes used. However,\nthe Department considers all Capital Security Construction Program expenditures to be related to\nphysical security because these funds were used only if the requirement for new construction was\ndriven primarily by security concerns 15 and the facilities are built to meet SECCA standards.\n\n         Maintenance Cost Sharing Program\n\n        The Department received $110.8 million in FY 2012 for the Maintenance Cost Sharing\nProgram. In addition, other agencies contributed $82.2 million to the Maintenance Cost Sharing\nProgram through the Capital Security Cost Sharing Program. 16 Although provided for\nworldwide security upgrades, the use of these funds is not limited to physical security-related\nitems. This funding, totaling $193 million in FY 2012, was used for the maintenance and\nrehabilitation of non-residential properties that were shared by multiple agencies at post. The\nMaintenance Cost Sharing Program funds major rehabilitation projects as well as routine facility\nmaintenance and repair and preventive maintenance contracts. Major rehabilitation projects\ninclude upgrades to fire and life safety systems, heating and air conditioning systems, electrical\nsystems, and physical and technical security items. Routine maintenance and repair includes\nrepairs of a minor nature, such as fixing broken pipes, painting, and purchasing supplies in bulk.\n\n       OBO expended approximately $15.7 million of Maintenance Cost Sharing Program funds\nin FY 2012, which was the first year of the Maintenance Cost Sharing Program. The majority of\nexpenditures for FY 2012, $10.7 million, were for routine maintenance and repair. OBO also\nexpended Maintenance Cost Sharing Program funds for four major rehabilitation projects at\n\n15 The Department receives separate funding for the construction of new overseas facilities if the requirement is\n\n\nprimarily for other than security reasons.\n\n\n16 The Capital Security Cost Sharing Program was expanded in FY 2012 to include the Maintenance Cost Sharing\n\n\nProgram.\n\n\n                                                       11\n                                                  UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n\nBudapest, Hungary; Frankfurt, Germany; Vilnius, Lithuania; and Wellington, New Zealand. FY\n2012 Maintenance Cost Sharing Program expenditures by function code are summarized in\nTable 3.\n\n        Table 3. FY 2012 Maintenance Cost Sharing Program Expenditures\n         Function Code                                   Description                                     Amount\n         7901                  Post Routine Maintenance and Repair                                       $10,708,100\n         7904                  Facility Rehabilitation and Support Systems                                 2,077,835\n         7905                  Environmental Security Protection Systems Program                           1,728,012\n         791X                  Major Rehabilitation Design/Construction/                                   1,162,578\n                               Supervision/Security\n         Total                                                                                           $15,676,525\n        Source: Prepared by Kearney based on its analysis of FY 2012 expense transactions in the Department\xe2\x80\x99s financial\n        accounting system.\n\n         Kearney was unable to determine the amount of Maintenance Cost Sharing Program\nexpenditures for physical security because the physical security-related expenditures were not\ndiscretely tracked by the Department. All post routine maintenance and repairs are recorded to\nthe same function code. In addition, when a major rehabilitation project is scheduled at a post\nthat is also scheduled to receive a physical security upgrade, the physical security upgrade is\nperformed as part of the major rehabilitation project to avoid developing two separate plans for\nthe projects. Because the physical security component was included as part of the overall\nproject, the physical security expenditures could not be identified separately.\n\n        Miscellaneous Worldwide Security Upgrades Expenditures\n\n       In addition to the expenditures for the three Worldwide Security Upgrades programs,\nKearney identified expenditures of approximately $26.9 million for other items. Kearney was\nunable to determine whether any of these expenditures were for physical security-related items\nbased on the function codes used. 17 These additional expenditures by function code are\nsummarized in Table 4.\n\n        Table 4. FY 2012 Other Expenditures\n         Function Code                                   Description                                     Amount\n\n         6134                  Procurement Services - ICASS                                              $20,542,097\n         7663                  Maintenance Tech Support Program                                            6,279,567\n         768X/Blank            Miscellaneous                                                                  66,437\n         Total                                                                                           $26,888,101\n        Source: Prepared by Kearney based on its analysis of FY 2012 expense transactions in the Department\xe2\x80\x99s financial\n        accounting system.\n\n\n\n\n17According to OBO management, the \xe2\x80\x9cProcurement Services \xe2\x80\x93 ICASS\xe2\x80\x9d expenditures amounting to $20.5 million\nmay have been related to NEC and rehabilitation projects.\n                                                      12\n                                                 UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n\nOther Funding Used for Physical Security\n\n       While the majority of the Department\xe2\x80\x99s physical security projects were funded from\nOBO\xe2\x80\x99s Worldwide Security Upgrades programs, funds from other sources were used for\nphysical security. For example, funds provided to OBO for Repair and Construction and\nOverseas Contingency Operations can be used for some physical security needs. In addition,\nfunds provided to DS for Worldwide Security Protection can also be used for physical security.\n\n       Repair and Construction\n\n       The Department\xe2\x80\x99s FY 2012 ESCM appropriation contained $63 million for repair and\nconstruction. This funding supported two OBO programs: R&I and Major Rehabilitation.\nSome funds from these programs were used for physical security needs.\n\n        Repair and Improvement Program. The Department received $51 million in FY 2012\nfor OBO\xe2\x80\x99s R&I Program. This program funds repairs and upgrades at Department facilities and\nis a core component of the OBO maintenance program. Although the use of R&I Program funds\nfor physical security is fairly limited, posts may fund certain repairs relating to physical security\nusing these funds. For example, walls, FE/BR doors, and non-FE/BR doors can be repaired\nusing R&I funds. In FY 2012, OBO expended $22.8 million for R&I. Because R&I\nexpenditures were recorded using the R&I function codes, the physical security expenditures\ncould not be identified separately.\n\n        Major Rehabilitation Program. The Department received $12 million in FY 2012 for\nOBO\xe2\x80\x99s Major Rehabilitation Program. The Major Rehabilitation Program funds major\ncomprehensive renovations of existing facilities that are occupied only by Department personnel.\nIn FY 2012, OBO expended $65.6 million for major rehabilitation projects. These projects may\ninclude physical security components. However, because the physical security components are\nincluded as part of the overall project, the physical security expenditures cannot be identified\nseparately by function code in the Department\xe2\x80\x99s accounting system. The types and costs of\nphysical security-related items may be identifiable in the construction contract for each major\nrehabilitation project; however, Kearney did not review the construction contracts as part of this\naudit.\n\n       Overseas Contingency Operations\n\n       In FY 2012, the Department received Overseas Contingency Operations funds amounting\nto $115.7 million under the ESCM appropriation. This funding, which began in FY 2012,\nprovides for the extraordinary and temporary costs for operations and assistance in Iraq,\nAfghanistan, and Pakistan.\n\n        In FY 2012, OBO expended Overseas Contingency Operations funds amounting to $9.7\nmillion from the ESCM appropriation. Of the $9.7 million, $9 million was for rent expenses and\napproximately $0.7 million was related to a major rehabilitation project in Tripoli, Libya.\nKearney could not determine whether the major rehabilitation project included a physical\nsecurity component based on the function codes used for these expenditures.\n                                              13\n                                      UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\n\n       Worldwide Security Protection\n\n        The Department\xe2\x80\x99s FY 2012 Diplomatic & Consular Programs (D&CP) appropriations\ncontained $1.35 billion in funding for Worldwide Security Protection and an additional $236.2\nmillion in Overseas Contingency Operations funds. This funding supports primarily security\nstaffing to ensure the safety of American diplomats, to protect the integrity of the data and\nsystems on which these personnel rely, and to secure the facilities in which these personnel work\nand reside. Specifically, the funding supports the worldwide local guard program, high-threat\nprotection, security technology, armored vehicles, cyber security, information security, facility\nprotection, and diplomatic couriers. It also supports emergency preparedness programs, internal\nand interagency collaborations and information sharing, and medical emergencies planning in the\nevent of mass casualties from a biological or chemical attack.\n\n        Although the majority of physical security needs are funded by OBO, DS has used\nWorldwide Security Protection funds for physical security-related projects. Kearney identified\nFY 2012 expenditures amounting to approximately $48 million for non-residential physical\nsecurity that were recorded to function code 5831\xe2\x80\x94Perimeter and Internal Security. A DS\nofficial stated that DS used this function code for physical security-related activities. For\nexample, DS had provided Worldwide Security Protection funds totaling $259,920 in FY 2012\nfor six physical security projects relating to perimeter and internal security in Libya, Saudi\nArabia, and Yemen. A summary of FY 2012 expenditures recorded to function code 5831\xe2\x80\x94\nPerimeter and Internal Security by appropriation, or expenditure account, is provided in Table 5.\n\n       Table 5. FY 2012 Function Code 5831 Expenditures by Expenditure Account\n                                  Expenditure Account                                          Amount\n        D&CP Afghanistan Operations \xe2\x80\x93 Overseas Contingency                                     $27,645,000\n        Operations\n        D&CP Afghanistan Operations                                                              1,791,224\n        D&CP Emergency Supplemental                                                             17,605,430\n        D&CP Iraq Embassy Operations                                                             1,218,002\n        D&CP Machine Readable Visa Processing Fee                                                    6,038\n        Total                                                                                  $48,265,694\n       Source: Prepared by Kearney based on its analysis of FY 2012 expense transactions in the Department\xe2\x80\x99s financial\n       accounting system.\n\nFinding B. Processes To Request Funds for Physical Security Needs Could Be\nImproved\n        The majority of the post security officials responding to an OIG questionnaire indicated\nthat the processes to request funds for physical security-related needs at Department-owned or\nDepartment-operated buildings were clear and easy to use. (The process used for the\nquestionnaire is explained in Appendix A, and the questionnaire is in Appendix B.) However, a\nsignificant number of post security officials responded that the processes were unclear and\ndifficult to use. In addition, a significant number of respondents expressed dissatisfaction with\n                                                     14\n                                                UNCLASSIFIED\n\x0c                                                   UNCLASSIFIED\n\n\n\n\nthe timeliness or sufficiency of the responses OBO provided to the respondents\xe2\x80\x99 formal requests\nfor physical security funding.\n\n        The lack of understanding, the perceived complexity of the processes, and dissatisfaction\nwith responses to formal requests occurred because neither DS nor OBO had developed\nstandardized and documented policies and procedures for the processes to request funds for the\nmajority of physical security-related needs. In addition, many post security officials indicated\nthat the training provided for requesting funds was inadequate. As of September 2013, DS was\ndeveloping a tool to help identify and document post physical security-related needs, which may\nclarify and simplify the request processes. However, this tool was not expected to be fully\nimplemented until 2016. The lack of standard, documented policies and procedures may result\nin post physical security needs not being addressed adequately or promptly.\n\nMany Posts Indicated Physical Security-Related Needs Existed During FY 2012\n\n        In response to the OIG questionnaire, 83 (63 percent) of 132 post security officials\nindicated that their posts had physical security-related needs in FY 2012. The types of needs\nidentified by these post officials included minor physical security upgrades, major physical\nsecurity upgrades, other security issues, and R&I, as shown in Table 6.\n\nTable 6. Physical Security-Related Needs During FY 2012 Reported in Response to OIG\nQuestionnaire\n                                                                                           Number of\n     Type of Need                                         Definition\n                                                                                             Needs\n    Minor Physical           Post-managed projects, generally less than $250,000, with           136\n   Security Upgrade          upgrades to perimeter protection, facility protection, and\n                             interior protection to bring deficient facilities into\n                             compliance with OSPB standards.\n    Major Physical           OBO-managed projects, generally $250,000 or more, with               62\n   Security Upgrade          upgrades to perimeter protection, facility protection, and\n                             interior protection to bring deficient facilities into\n                             compliance with OSPB standards.\n     Other Security          Any projects relating to physical security that are not              13\n        Issues               encompassed by the other categories, such as upgrades that\n                             are not related to OSPB standards but may be warranted\n                             given special circumstances at an overseas post.\n      Repair and             Projects to restore deteriorated or damaged property to its          60\n     Improvement             original condition or increase a property\xe2\x80\x99s value or change\n                             its use.\n Total                                                                                           271\nSource: Prepared by Kearney based on its analysis of questionnaire responses.\n\n        The majority of the post needs were identified as having been existing deficiencies (71,\nor 46 percent), with the second largest number identified as occurring because of normal\ndeterioration of the facilities (38, or 24 percent).\n\n\n                                                        15\n                                                   UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n       Although 83 respondents said that their posts had physical security-related needs in\nFY 2012, only 59 (71 percent) of the 83 indicated that they had formally requested funding for\nthose needs. The reasons provided for not formally requesting funding for physical security\nneeds included that post did not believe the need would be funded, post used its own funds to fill\nthe need, a post was scheduled for a NEC, and physical security needs were incorporated into a\nmajor rehabilitation project for which funding was provided through a different process.\n\nProcesses Existed for Requesting Physical Security Funds Depending on Need\n\n          The processes for requesting funding for minor and major physical security upgrades\nwere similar. Generally, when RSOs identify a physical security need or deficiency, they first\ncontact their respective Desk Officers informing them of the need via email. The Desk Officer\nreviews the informal request to determine whether the need is required to meet OSPB standards.\nIf it is required, the Desk Officer communicates the request to OBO\xe2\x80\x99s Program Security\nOperations Branch. If OBO agrees with the request, the RSO prepares, with the Desk Officer\xe2\x80\x99s\nassistance if needed, a formal request cable for submission to OBO. Once OBO approves the\nformal request, OBO enters the request into the Buildings Management Integrated System, 18\nwhich generates a project number. OBO officials stated that OBO will approve funds for minor\nphysical security upgrades when it receives the formal request. Approved major physical\nsecurity upgrades are added to an \xe2\x80\x9cout-year\xe2\x80\x9d schedule and are completed in order of priority.\n\n        Other processes existed to request funding for specific physical security-related items.\nFor example, when posts need FE/BR products, such as doors or windows, the RSO informs\nOBO\xe2\x80\x99s Program Security Operations Branch directly via email. If the request is minor, which\nincludes the maintenance and repair of existing FE/BR doors and windows, OBO funds the\nrequest in the year in which it is requested. Major FE/BR requests, which include large and\nsignificant projects to install new or perform lifecycle replacement of FE/BR doors, windows,\nand glazing panels, are added to an \xe2\x80\x9cout-year\xe2\x80\x9d schedule.\n\n        In addition, posts may request security-related items, such as repairs of walls, roofs, and\nnon-FE/BR windows and doors, through OBO\xe2\x80\x99s process for funding R&I projects. Posts submit\nrequests for R&I projects, both security and non-security related, to OBO electronically through\na Web-based system that interfaces with the Buildings Management Integrated System on a\nnightly basis. Area Managers in the Area Management Division review and approve each\nrequest in the system.\n\nProcesses To Request Funding Were Clear and Easy but Needed Improvement\n\n        Many of the post security officials who responded to the OIG questionnaire found the\nprocesses to request funding for physical security-related needs clear and easy to use. But some\npost security officials believed the processes were unclear or difficult. Overall, in response to a\nquestion regarding whether the processes were clear or unclear, 19 more than twice the responses\n\n18 The Buildings Management Integrated System is the database that OBO uses to track and prioritize OBO-funded\nfacility maintenance requirements, capital construction projects, and noncapital repair and rehabilitation projects.\n19 For this report, clear is defined as \xe2\x80\x9ceasily understood or free from doubt or confusion.\xe2\x80\x9d\n\n                                                    16\n                                               UNCLASSIFIED\n\x0c                                                     UNCLASSIFIED\n\n\n\n\nwere \xe2\x80\x9cvery clear\xe2\x80\x9d or \xe2\x80\x9csomewhat clear\xe2\x80\x9d (206 [56 percent] of 370) than were \xe2\x80\x9cvery unclear\xe2\x80\x9d or\n\xe2\x80\x9csomewhat unclear\xe2\x80\x9d (101 [27 percent] of 370). Similarly, in response to a question regarding\nwhether the processes were easy 20 or difficult, more responses were \xe2\x80\x9cvery easy\xe2\x80\x9d or \xe2\x80\x9csomewhat\neasy\xe2\x80\x9d (148 [41 percent] of 360) than were \xe2\x80\x9cvery difficult\xe2\x80\x9d or \xe2\x80\x9csomewhat difficult\xe2\x80\x9d (96 [27\npercent] of 360). The number of responses for each category of physical security need is\nprovided in Table 7.\n\nTable 7. Understanding of the Process To Request Funding for Physical Security Needs\n                                          Clarity                                    Ease of Use\n      Category                    Clear           Unclear                      Easy            Difficult\n Minor Physical                    (65) 65%         (20) 20%                    (48) 48%           (24) 24%\n Security Upgrades\n Major Physical                    (47) 50%               (32) 34%               (29) 33%         (29) 33%\n Security Upgrades\n Repair and                        (51) 56%               (25) 27%               (38) 43%         (22) 25%\n Improvement\n Other Security                    (43) 51%               (24) 28%               (33) 40%         (21) 25%\n Issues\n Total                           (206) 56%              (101) 27%              (148) 41%          (96) 27%\nSource: Prepared by Kearney based on its analysis of responses to OIG\xe2\x80\x99s questionnaire.\n\n        One factor that likely contributed to post security officials\xe2\x80\x99 positive perception of the\nprocesses was the adequacy of assistance provided to posts during the request processes by DS\nand OBO. A large majority, 93 (84 percent) of 111 respondents, found DS assistance to be either\n\xe2\x80\x9cvery adequate\xe2\x80\x9d or \xe2\x80\x9csomewhat adequate,\xe2\x80\x9d and 81 (74 percent) of 110 respondents deemed DS\nassistance to be either \xe2\x80\x9cvery timely\xe2\x80\x9d or \xe2\x80\x9ctimely.\xe2\x80\x9d Almost half of the respondents, 49 (47 percent)\nof 105, also found OBO assistance to be either \xe2\x80\x9cvery adequate\xe2\x80\x9d or \xe2\x80\x9csomewhat adequate.\xe2\x80\x9d One\npost security official commented that the points of contact \xe2\x80\x9cat both bureaus have generally been\nhelpful in providing appropriate guidance on how to request funding.\xe2\x80\x9d Another post security\nofficial commented \xe2\x80\x9c[i]n my experience I have been serviced well by OBO and DS concerning\nneeds for physical security upgrades and RSO inquiries.\xe2\x80\x9d A third post security official stated\nthat their post had been \xe2\x80\x9cwell supported in the area of physical security upgrades. Both DS and\nOBO have for the most part been very helpful during the process.\xe2\x80\x9d\n\n        Although there were many positive responses to the questionnaire relating to the clarity\nand ease of the processes to request funding for physical security needs, there were a significant\nnumber of responses that the request processes were unclear (27 percent) or difficult (27\npercent). The perception that the processes were unclear or difficult did not appear to be the\nresult of less experience with the processes. In fact, officials with greater experience generally\nfound the processes for requesting funds for minor physical security upgrades, major physical\nsecurity upgrades, and other security issues to be more difficult than officials who had less\nexperience.\n\n\n\n\n20   For this report, easy is defined as \xe2\x80\x9cnot hard to do or requiring little effort.\xe2\x80\x9d\n                                                          17\n                                                     UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n       Some Questionnaire Respondents Believed Responses to Posts\xe2\x80\x99 Funding Requests\n       Were Insufficient\n\n        Many post security officials who responded to the OIG questionnaire also indicated that\nthe assistance provided to post was untimely and that information provided to posts by OBO\nrelated to the denial of formal requests was inadequate.\n\n        Specifically, 31 (30 percent) of 103 respondents indicated that OBO\xe2\x80\x99s assistance during\nthe process of requesting funds was \xe2\x80\x9cuntimely\xe2\x80\x9d or \xe2\x80\x9cvery untimely.\xe2\x80\x9d For example, one\nrespondent stated that their post\xe2\x80\x99s FY 2012 requests \xe2\x80\x9chave still not been approved or denied\xe2\x80\x9d in\nAugust 2013, or 10 months later. Another respondent stated, \xe2\x80\x9cI requested funds for a project, 6\nmonths later [OBO] responded and requested more info [information] before [close of\nbusiness]. Then [OBO] did not respond for about 2 months before another short fuse\nrequest.\xe2\x80\x9d An additional respondent stated that \xe2\x80\x9ccables and emails went unanswered and were it\nnot for the intervention by the Ambassador direct to the Director of OBO, we do not believe we\nwould have received a response.\xe2\x80\x9d\n\n       Respondents were also dissatisfied with the responses received when their requests for\nfunding were denied. Specifically, 14 (41 percent) of 34 respondents indicated that the responses\nreceived were either \xe2\x80\x9csomewhat inadequate\xe2\x80\x9d or \xe2\x80\x9cvery inadequate.\xe2\x80\x9d Respondents to the\nquestionnaire who stated that some of their FY 2012 requests were not funded reported on\naverage that only 44 percent of their denied requests included an explanation of the denial of\nfunding.\n\n        OBO officials stated that OBO had an informal goal of responding to all official requests\nfor physical security funding within 2 weeks of receiving the request but that this goal was not\nalways met. One OBO official explained that workload backlogs and competing priorities\nresulted in some responses being delayed. OBO officials further explained that they were\nconfident that OBO had informed posts about decisions related to requests but that the\nrespondent may not have been aware of the response. For example, an OBO official stated that\nOBO might have informed and provided information to a different representative at a post, such\nas the post\xe2\x80\x99s Facilities Manager, rather than to the post security official. In these cases, OBO\xe2\x80\x99s\nresponse might not have been shared with all relevant parties at the post. In addition, posts\nsometimes submitted a request for funding to an incorrect program within OBO, which increased\nresponse time while the request was transferred to the correct program.\n\n        Although there are circumstances in which OBO responses may be delayed or when\ncommunications with posts are not relayed to all interested parties, the significant rate of\ndissatisfied customers indicates that OBO should take action to better communicate with posts\non formal requests for physical security funding.\n\nProcesses Were Not Standardized and Documented, and Training Was Not Sufficient\n\n        The negative perceptions expressed by post security officials can be attributed, in part, to\nthe lack of formal policies and procedures for the processes to request funds for physical\nsecurity-related needs, including the roles of DS and OBO in those processes. In addition, some\n                                                18\n                                         UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\npost security officials commented that they had not received sufficient training on how to request\nfunding.\n\n        Some Processes Were Not Standardized and Documented\n\n        According to the Government Accountability Office\xe2\x80\x99s (GAO) document \xe2\x80\x9cStandards for\nInternal Control in the Federal Government,\xe2\x80\x9d 21 \xe2\x80\x9c[M]anagement is responsible for developing the\ndetailed policies, procedures, and practices to fit their agency\xe2\x80\x99s operations and to ensure that they\nare built into and an integral part of operations.\xe2\x80\x9d However, Kearney found that neither DS nor\nOBO had developed or documented standard policies and procedures for requesting funding for\nmost physical security-related needs at posts. Many questionnaire respondents, 57 of 96 (59\npercent), indicated that the written policies and procedures for requesting funds were \xe2\x80\x9cvery\nadequate\xe2\x80\x9d or \xe2\x80\x9csomewhat adequate.\xe2\x80\x9d However, Kearney did not identify, either in the\nDepartment\xe2\x80\x99s FAM or the Foreign Affairs Handbook (FAH) or other available information from\nDS or OBO in any documented format, formal policies and procedures for requesting funding for\nminor physical security upgrades, major physical security upgrades, or other security issues such\nas FE/BR products. 22 In addition, there were no standard formats or templates for post to use to\nmake their requests.\n\n        The process to request funding for physical security needs is initially conducted\ninformally, primarily through emails, until a preliminary decision is made to approve the request.\nAlthough initial discussions are normally between the post security official and the Desk Officer,\nboth DS and OBO officials stated that posts sometimes bypassed the Desk Officer and contacted\nOBO officials directly. One post security official commented, \xe2\x80\x9cThere seems to be no formal\nprocess other than trading emails with [points of contact] in various DS and OBO offices \xe2\x80\x93 if\nthere is, it\xe2\x80\x99s not clear to the [people in the] field.\xe2\x80\x9d\n\n        In addition to the initial requests, there were no standard policies and procedures for\nresponding to the requests. Responses to the OIG questionnaire indicated that posts received\nnotifications that their formal requests were not funded in different manners, including cables,\nemails from OBO or DS, and telephone calls from OBO or DS, or they were not notified at all.\nOne respondent indicated that there needs to be \xe2\x80\x9ca better process to new [Assistant] RSOs and\nRSOs on whom to contact in their region and what the entire process from request to receiving\nfunds looks like.\xe2\x80\x9d\n\n        Some post security officials expressed confusion about the roles and responsibilities of\nDS and OBO in the request process. In discussions with both DS and OBO regarding each\nbureau\xe2\x80\x99s responsibilities for physical security-related requests, officials referred Kearney to the\nSecurity Equipment Responsibilities Matrix (SERM). The SERM is a guide that identifies the\noffices responsible and funding sources for the installation, maintenance, and repair of security\nequipment. However, the SERM does not describe the processes for requesting funds, and it\ndoes not include all physical security-related items. For example, although the SERM contains\n\n21GAO/AIMD-00-21.3.1, Nov. 1999, p. 7.\n\n\n22OBO has developed and documented policies and procedures for requesting R&I funds in the \xe2\x80\x9cRepair and\n\n\nImprovement Program Cookbook,\xe2\x80\x9d which is available on OBO\xe2\x80\x99s SharePoint site.\n\n\n                                                 19\n                                            UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n\ninformation relating to the installation and maintenance of FE/BR doors, it does not provide\nsimilar information for perimeter walls. DS officials stated that the SERM was designed to\naddress technical, rather than physical, security requirements. If physical security-related items\ndo not have a technical security aspect, the items are not included in the SERM. One respondent\ncommented, \xe2\x80\x9cWhile the security funding matrix is very helpful, it is not all-inclusive and still\nleaves wiggle room as to where responsibility falls on some things.\xe2\x80\x9d Another respondent\ncommented that there \xe2\x80\x9cseems to be little coordination between DS and OBO at the [Washington,\nDC] level on security upgrade projects, and it\xe2\x80\x99s unclear who is in charge of these for both\nfunding and execution as many of these projects do not fit into the security equipment matrix.\xe2\x80\x9d\n\n        DS and OBO officials agreed that the process for requesting funds for physical security-\nrelated needs was complicated but stated that it was very difficult to develop a standard process\nfor posts to use because each physical security-related need was unique. The officials further\nstated that post security officials should contact the Desk Officers, who will guide the post\nofficials through the process to request funds. Although responses to the OIG questionnaire\nindicated that Desk Officer assistance had been beneficial, it was clear that post security officials\nbelieved that DS and OBO needed to develop a better method to instruct posts in how to request\nfunding. In addition, DS and OBO need to develop a standardized, timely method to respond to\nposts about the decisions made on each request.\n\n         As of September 2013, DS was taking action to improve the process for posts to request\nfunding for physical security needs by developing a SharePoint 23 tool to be used for\ndocumenting and tracking posts\xe2\x80\x99 physical security needs. This tool is planned to allow RSOs to\ndirectly enter into SharePoint specific physical security-related information for different types of\nfacilities. The tool could eliminate or decrease the need for and reliance on individual requests.\nHowever, DS officials stated that they did not expect the tool to be fully populated with post data\nuntil FY 2016.\n\nSome Questionnaire Respondents Believed Training Was Not Sufficient\n\n        GAO\xe2\x80\x99s \xe2\x80\x9cStandards for Internal Control in the Federal Government\xe2\x80\x9d states that\n\xe2\x80\x9cmanagement needs to identify appropriate knowledge and skills needed for various jobs and\nprovide needed training.\xe2\x80\x9d According to the results of the questionnaire, however, 41 (51\npercent) of 81 respondents indicated that the training for requesting funds for physical security\nneeds was either \xe2\x80\x9csomewhat inadequate\xe2\x80\x9d or \xe2\x80\x9cvery inadequate,\xe2\x80\x9d while only 23 (28 percent) of 81\nrespondents selected \xe2\x80\x9csomewhat adequate\xe2\x80\x9d or \xe2\x80\x9cvery adequate.\xe2\x80\x9d Additional written comments by\nsome respondents to the questionnaire provided detail as to the deficiencies of the training to\nrequest funding. For example, one respondent commented that they had \xe2\x80\x9cnever received any\ninstruction as to the proper way to request money for funding of physical security upgrades. I\nknow nothing about the process by which this happens or how these decisions are made.\xe2\x80\x9d\nAnother respondent stated that the \xe2\x80\x9cRSO training related to the physical security funding process\nis wholly inadequate.\xe2\x80\x9d A third respondent stated that they did not \xe2\x80\x9cthink many people ever\nreceive training in the Department of State on how to request assistance. It is more a matter of\n\n23SharePoint is a Microsoft Web application platform that provides Intranet portals, document and file management\ncollaboration, system migration, process integration, and workflow capabilities.\n                                                  20\n                                             UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\npersonal motivation\xe2\x80\x94if you want to achieve something, you look up the contact name in the\n[global address list] or on the intranet for the section which makes most sense.\xe2\x80\x9d\n\n        According to DS officials, RSOs receive training on how to request funding for physical\nsecurity-related needs during Basic Regional Security Officer training, which all RSOs attend\nbefore they leave for their overseas assignments. Kearney noted that the training curriculum and\nrelated training materials for physical security contained some information indicating that\nfunding requests for minor and major physical security upgrades were covered on a limited basis\nduring the training. Although post security officials could contact Desk Officers for assistance,\nthe responses to the questionnaires indicate that post security officials would prefer additional\ntraining on the process to request funding.\n\nLack of Adequate Process Could Discourage Posts from Requesting Funding or Lead to\nPosts Funding Projects Directly\n\n        The lack of standard documented policies and procedures for requesting physical security\nfunds and the resulting lack of understanding of those processes may dissuade post security\nofficials from submitting requests for funding. In fact, two respondents to the OIG questionnaire\nindicated that they did not formally request funding for all of their physical security needs\nbecause their posts considered the process to be confusing or difficult. If even one post does not\nrequest funds for a significant security need, that post may become more vulnerable to an attack\nthat could result in destruction of property, injury, or loss of life.\n\n       In addition, post security officials who do not clearly understand the request process may\nsubmit requests that have insufficient information or support or to the incorrect individuals. If\nrequests are not submitted correctly, they must be resubmitted, which requires additional time\nand may delay the process for obtaining needed physical security items.\n\n        Further, 22 respondents (17 percent) stated that their physical security needs in FY 2012\nresulted from the establishment of new physical security requirements, and 18 (14 percent) stated\nthat their needs resulted from an increase in physical security-related risks. Although, in general,\nmost post security officials understood the processes to request physical security funding and\nfound the processes easy to use, an increase in the number of requests because of increased\nrequirements or risks may make the existing informal system less able to accommodate the\nrequests in a manner that ensures that critical physical security needs are addressed effectively\nand in a timely manner.\n\n       Recommendation 1. OIG recommends that the Bureau of Diplomatic Security, in\n       coordination with the Bureau of Overseas Buildings Operations, develop and implement\n       standard policies and procedures for requesting funds for physical security-related needs\n       and document the policies and procedures in a manner that is easily accessible by post\n       security officials (for example, in a \xe2\x80\x9cphysical security funding handbook\xe2\x80\x9d).\n       Consideration should be given to how the SharePoint tool currently in development can\n       be used to simplify the request processes.\n\n\n                                             21\n                                        UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n\nDS Response: DS stated that it \xe2\x80\x9ccurrently has a process for posts that require additional\nfunding\xe2\x80\x9d and that the \xe2\x80\x9cprocess will be clearly articulated as part of an annual operating\ncable sent to RSOs.\xe2\x80\x9d DS noted that posts are instructed \xe2\x80\x9cto send a front channel cable\noutlining the security requirement and include funding implications.\xe2\x80\x9d DS further stated\nthat \xe2\x80\x9ca formal front channel cable funding request with direct response from the\nappropriate DS program office\xe2\x80\x9d and funding validation are more appropriate than using\nSharePoint.\n\nOBO Response: OBO suggested that OIG change the recommendation from \xe2\x80\x9cphysical\nsecurity-related needs\xe2\x80\x9d to \xe2\x80\x9cphysical security upgrades.\xe2\x80\x9d According to OBO, the\n\xe2\x80\x9cdistinction is needed since funding is near the end of the process.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that DS, in conjunction\nwith OBO, has developed and implemented standardized policies and procedures for\nrequesting funds for physical security-related needs. OIG does not believe it is necessary\nto change \xe2\x80\x9cphysical security needs\xe2\x80\x9d to \xe2\x80\x9cphysical security upgrades\xe2\x80\x9d in the\nrecommendation. OIG expects that the policies and procedures will provide guidance for\nrequesting funds for all types of physical security deficiencies and should not be limited\nto upgrades.\n\nRecommendation 2. OIG recommends that the Bureau of Overseas Buildings\nOperations develop and implement a process to respond to posts\xe2\x80\x99 formal requests for\nphysical security-related funding, which should include commitments to respond within\ncertain timeframes.\n\nOBO Response: OBO concurred with the recommendation, noting that \xe2\x80\x9cfunding will be\npart of the overall process developed\xe2\x80\x9d for Recommendation 1.\n\nOIG Analysis: OIG considers the recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that OBO has\ndeveloped and implemented a process and timeframes for responding to requests for\nphysical security-related funding.\n\nRecommendation 3. OIG recommends that the Bureau of Diplomatic Security develop\nand implement a methodology to periodically communicate the processes to request\nfunds for physical security-related needs to all post security officials.\n\nDS Response: DS concurred with the recommendation, stating that it will \xe2\x80\x9cexplore the\npossibility of integrating funding guidance and/or a funding request process\xe2\x80\x9d within its\nnew Physical Security Survey site or Project Management Solution, as well as include\n\xe2\x80\x9clanguage about requesting funds for physical security upgrades in its annual operating\ncable.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that DS has developed\n                                     22\n                             UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n       and implemented a methodology to periodically communicate the processes to request\n       funds to all post security officials.\n\nFinding C. Department Did Not Have Information To Ensure Highest\nPriority Security Needs Were Funded\n         Kearney could not determine the extent to which the Department used physical security\nfunds for the highest priority physical security needs at overseas posts during FY 2012. During\nthat fiscal year, the Department funded four major physical security upgrades, 85 minor physical\nsecurity upgrades, and 10 major FE/BR projects. However, Kearney could not determine\nwhether the highest priority security needs were funded for the following reasons:\n\n           \xe2\x80\xa2\t\t DS did not have a comprehensive list of all post physical security deficiencies.\n           \xe2\x80\xa2\t\t Neither DS nor OBO maintained a list of posts\xe2\x80\x99 FY 2012 requests for physical\n               security funding and the disposition of those requests.\n           \xe2\x80\xa2\t\t Neither DS nor OBO had formal processes to prioritize physical security needs.\n               Instead, decisions on which project to fund were often made by one individual\n               without documented standards and guidance for prioritizing physical security\n               needs.\n           \xe2\x80\xa2\t\t DS and OBO did not have sufficient formal processes for coordinating with each\n               other to establish standards for determining priority and to agree on funding\n               decisions.\n           \xe2\x80\xa2\t\t Neither DS nor OBO had developed a comprehensive long-range physical\n               security plan that would help focus attention on critical needs.\n\n        For the reasons cited, the Department could not ensure that the highest priority physical\nsecurity needs at overseas posts were corrected and that the posts\xe2\x80\x99 vulnerability to threats had\ntherefore been reduced sufficiently.\n\nComplete Information Needed To Prioritize Post Physical Security Needs Was Not\nMaintained\n\n        GAO\xe2\x80\x99s \xe2\x80\x9cStandards for Internal Control in the Federal Government\xe2\x80\x9d states that \xe2\x80\x9c[i]nternal\ncontrol and all transactions and other significant events need to be clearly documented, and the\ndocumentation should be readily available for examination.\xe2\x80\x9d However, the Department did not\nhave the information needed to prioritize post physical security needs. Specifically, DS did not\nhave a comprehensive list of physical security deficiencies at all overseas posts, and neither DS\nnor OBO maintained a list of posts\xe2\x80\x99 FY 2012 requests for physical security funding or the\ndisposition of those requests.\n\n\n\n\n                                             23\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n        Comprehensive List of Physical Security Deficiencies Was Not Available\n\n       DS did not have a comprehensive list of physical security deficiencies at all overseas\nposts. When Kearney requested such a list, DS officials stated that a comprehensive list did not\nexist.\n                                                                                    OBO Maintains\n        Kearney found that a comprehensive list was not                      Comprehensive List of R&I Needs\navailable because DS did not have sufficient processes in       Although the Department does not\nplace for collecting the information and developing such a      maintain a list of physical security-related\nlist. The FAM 24 requires that RSOs at each post conduct a\t\t needs, it has other programs that it could\nphysical security survey of their post facilities at least \t    use as a basis for developing a\nonce every 3 years to determine whether the facilities          comprehensive tracking process for\n                                                                physical security-related deficiencies. For\nmeet OSPB security standards and to identify physical           example, for R&I, OBO obtains requests\nsecurity deficiencies requiring correction. RSOs provide        from posts through a formal process,\nthe completed physical security survey to DS\xe2\x80\x99 \t                 normally once a year; has a formal\nInternational Programs Directorate. 25 The directorate\t\t        process for prioritizing the requests; and\nmaintains the surveys in a centralized DS repository. In        maintains a complete prioritized list of\n                                                                R&I requirements in the Buildings\naddition, RSOs provide a copy of the survey to their            Management Integrated System.\nrespective Desk Officer and inform the Desk Officer of\nthe physical security deficiencies that arise between survey reporting periods. However, the\nphysical security deficiencies identified during the surveys and reported by posts were not\ncompiled and tracked aggregately by DS. Instead, each of the Desk Officers determined how\nthey would track and monitor the physical security deficiencies at the posts for which they were\nresponsible.\n\n        Although the physical security survey results could provide a basis for compiling a\ncomprehensive list of all physical security deficiencies worldwide, the survey as structured may\nnot provide all of the information necessary. Specifically, the survey form was not constructed\nin a manner that enables the RSO to complete it efficiently or the DS Desk Officer to interpret\nthe results easily. For example, OSPB standards provide physical security requirements for eight\ndifferent types of facilities. 26 However, the same survey form is used for all types of facilities\nand for all threat categories, and the form does not include information on the requirements for\neach type of facility being assessed and does not include the specific standards that apply to a\npost based on its threat category. This format requires that RSOs spend additional time looking\nup the standards for each facility.\n\n       In addition, the survey consists of many open-ended questions that require the RSO to\ndescribe an aspect of physical security rather than simply identify whether or not the facility\nmeets that aspect of the applicable standards. For example, one question instructs RSOs to\n\xe2\x80\x9cdescribe perimeter fence/wall\xe2\x80\x9d rather than stating that the perimeter wall should be a certain\n\n24 12 FAM 315.2c, \xe2\x80\x9cOSPB Security Standards \xe2\x80\x93 Exception Authority.\xe2\x80\x9d\n\n\n25 12 FAM 425a, \xe2\x80\x9cRegional Security Officer (RSO) Reporting Requirements.\xe2\x80\x9d\n\n\n26 The eight types of facilities are a Chancery or Consulate, Sole Occupant of Building or Compound, Tenant in a \n\nCommercial Office Space, New On-Compound Housing; Public Office Facility, Voice of America Relay Stations,\n\n\nUnclassified Warehouse, and Public Diplomacy Facility.\n\n\n                                                   24\n                                              UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\nheight based on the threat level of the post and asking the RSO to report on whether the\nperimeter wall meets this requirement. Because the RSOs simply give a description of the wall\nwithout explicitly pointing out whether a standard was met or a deficiency existed, the\nresponsible Desk Officer had to make that determination based on the description.\n\n         Before the beginning of this audit, DS recognized the need to track physical security\ndeficiencies and maintain a comprehensive list of physical security needs for all posts in one,\neasily-accessible location. As discussed in Finding B, as of September 2013, DS\xe2\x80\x99 Physical\nSecurity Division had been developing a new physical security survey, using SharePoint, that\nwould track all areas of non-compliance with physical security standards in a comprehensive and\nuniform manner. The SharePoint survey addresses the flaws in the current survey process. For\nexample, the SharePoint tool will include separate survey forms for each of the eight types of\nfacilities, and each form will include the specific standards for that type of facility. RSOs will\nuse drop-down menus and other tools to indicate whether or not the facility being assessed is in\ncompliance with the standards. In addition, RSOs will be able to provide additional descriptive\ninformation for non-compliant facilities, which will make it easier for DS to capture all identified\nphysical security deficiencies at all posts. A DS official stated that RSOs will be able to update\nthe information in SharePoint to include new physical security deficiencies as they are identified.\nDS officials stated that DS also plans to develop the functionality necessary to consolidate all\nphysical security deficiencies in SharePoint into one report.\n\n        If implemented successfully, the SharePoint tool could provide DS and OBO with\ninformation on physical security needs at overseas posts that could be used to make informed\nfunding decisions. However, DS had not developed a full implementation plan for the new\nsurvey tool. Certain aspects of the tool\xe2\x80\x99s use after it was fully populated were still unclear, such\nas whether OBO would have access to view the completed surveys and generate reports to obtain\nspecific information. A complete implementation plan, which includes details of how the tool\nwill be used across DS offices as well as by OBO, would be key to the successful completion of\nthis project.\n\n        Additionally, the new physical security survey specifically tracks only areas of non\xc2\xad\ncompliance with OSPB standards, not other physical security deficiencies such as issues with the\ncondition of physical security items that may render the items incapable of performing as\nintended. For example, if the RSO is assessing the perimeter wall, the survey asks if the wall\nwas built in accordance with the appropriate standard(s), not whether there are cracks or other\nsigns of deterioration in the structure that could indicate a deficiency in the facility\xe2\x80\x99s physical\nsecurity. The survey form has a text box at the end of each section (for example, perimeter\nwalls) where RSOs can note these types of physical security deficiencies as well as provide\nadditional information about the areas of non-compliance identified. Although DS should be\nable to generate a report that lists all facilities that are not compliant with the OSPB standards\nand the areas of non-compliance, capturing the information on other physical security\ndeficiencies in the report will be more difficult.\n\n        DS officials stated that they anticipated having the SharePoint survey tool available\nduring 2014. However, the database will not be populated with complete information for at least\n3 years. DS plans to have posts input information during the physical security survey process\n                                                  25\n                                          UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\nperformed once every 3 years. The security survey process is normally performed on a rolling\nbasis; that is, approximately one-third of overseas posts perform the survey each year. DS\nofficials stated that a phased-in approach was necessary because of the large number of facilities,\nover 2,000, that must be surveyed and the limited number of staff available to analyze survey\nresults. Therefore, complete information on all overseas physical security deficiencies may not\nbe available until 2016.\n\n       Complete List of Post FY 2012 Requests for Physical Security Funding Was Not\n       Available\n\n        Neither DS nor OBO had a complete list of all funding requests for physical security-\nrelated items made by posts during FY 2012. Kearney requested a complete list of all informal\nrequests made by RSOs in FY 2012 to DS officials, but DS officials explained that such a list did\nnot exist. The Desk Officers review and screen post requests and inform the RSOs about which\nrequests should be formally submitted to OBO. Although the Desk Officers had records, such as\nemails, of the requests that they had received from their posts, DS did not compile and maintain\na complete list of posts\xe2\x80\x99 FY 2012 requests, including the requests that posts were advised not to\nsubmit formally.\n\n        Kearney also requested a comprehensive list of all formal requests for funding to OBO,\nbut OBO officials explained that OBO did not track all incoming requests and that such a list did\nnot exist. OBO officials stated that requests were tracked informally through ongoing\ndiscussions between OBO staff, DS Desk Officers, and the requesting RSO. OBO maintained\nand provided Kearney copies of spreadsheets that listed the major physical security upgrade and\nFE/BR projects that OBO had approved and scheduled. OBO officials stated that OBO\xe2\x80\x99s policy\nis to fund all requests for projects that are needed to bring the posts into compliance with OSPB\nstandards. OBO officials stated that they did not believe it was necessary to track post requests\nthat were not funded because denials were issued very infrequently. However, without a\ncomplete list of the formal requests, Kearney could not determine whether or how many formal\nrequests were made and how many of those requests were denied.\n\nFormal Processes To Prioritize Physical Security Requests Were Not in Place\n\n        As part of any successful program, an organization should prioritize needs so that funds\ncan be used in the most efficient and effective manner. In order to prioritize activities, program\nmanagers should implement a systematic process to select projects and allocate resources to\nthese projects in order to maximize value added. However, neither DS nor OBO had formal\nprocesses in place to prioritize posts\xe2\x80\x99 physical security needs. The processes used by DS to\nreview posts\xe2\x80\x99 initial informal requests and by OBO to determine which formal requests for major\nand minor physical security upgrades and FE/BR projects were funded, were often performed by\none individual without documented standards and guidance.\n\n       DS Review Process\n\n       DS used an informal process to review RSO requests before the RSO could submit a\nformal request for funding to OBO. As reported in Finding B, when RSOs identify a need, they\n                                             26\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\ndiscuss the need with the post\xe2\x80\x99s Desk Officer. In some cases, the Desk Officer may inform the\nRSO not to submit a formal request for funding to OBO because the Desk Officer believes that\nthe request will not be funded. For example, if an RSO identifies a physical security deficiency\nthat exceeds OSPB minimum standards, the Desk Officer may discourage the RSO from\nrequesting funds to correct the deficiency. In response to the OIG questionnaire, security\nofficials at four posts indicated that they were advised by Washington-based officials not to\nrequest funds for their physical security needs. Desk Officers generally based their\ndeterminations on information provided by the posts, such as information in emails and\nphotographs if available. There was no standard template for posts to make requests, and there\nwere no formal standards or guidance for the Desk Officers to use to make their determinations.\nInstead, each Desk Officer used his or her own experience and knowledge about the funding\nprocess to determine whether to encourage posts to submit a formal request for funding.\n\n       OBO Processes To Prioritize Physical Security Needs\n\n        OBO had several processes to determine which physical security projects were funded\ndepending on the type of project. Specifically, OBO had separate processes for major physical\nsecurity upgrades, minor upgrades, and FE/BR projects.\n\n        Major Physical Security Upgrades. There were no documented standards or guidance\nfor prioritizing major physical security upgrade projects. One individual, an OBO program\nmanager, received all formal requests for funding and determined the priority of the projects.\nThe manager determined whether to fund a post request based primarily on the post\xe2\x80\x99s ranking on\nthe DS Risk Matrix. The DS Risk Matrix lists posts in the order of priority. The post ranked\nnumber one on the Matrix receives a vulnerability score of \xe2\x80\x9c1,\xe2\x80\x9d with the remaining posts\xe2\x80\x99 scores\ncalculated as a percentage of how vulnerable each post is in relation to the first post. The scores\non the DS Risk Matrix are generally based on the condition of the facility; its SETL threat levels;\nand, to a small degree, other factors related to the host country. In addition to the DS Risk\nMatrix ranking, the program manager considers other factors, including the overall condition of\nphysical security at the post and whether the post is scheduled for other major projects, such as\nthe construction of a NEC or a major rehabilitation.\n\n        When requests are received for major physical security upgrades that cannot be funded\nimmediately, OBO places them on out-year project schedules. As of April 2013, 55 major\nphysical security upgrade projects were scheduled to be funded from FY 2012 through FY 2019.\nKearney evaluated the project schedules provided by OBO to determine whether higher threat\nposts were prioritized before lower threat posts. Kearney concluded that generally, posts with\nhigher scores on the DS Risk Matrix were scheduled before posts with lower scores. However,\nKearney identified some instances in which posts with higher DS Risk Matrix scores were\nscheduled after posts with lower scores. OBO officials stated that in some cases, projects for\nhigher threat posts could not always be given higher priority because of physical, logistical, or\nhost government constraints. For example, a project for one post that was ranked highly on the\nDS Risk Matrix was scheduled for FY 2014, but the project was pushed back to FY 2015\nbecause of the lack of host government cooperation. Kearney also identified an instance where a\npost that was ranked in the top 15 percent of the most vulnerable posts on the DS Risk Matrix\nwas not scheduled for an upgrade until FY 2017, while 25 of the 29 posts scheduled for upgrades\n                                                 27\n                                        UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n\nbetween FY 2012 and FY 2016 were ranked lower. An OBO official explained that this project\nhad been pushed back on the schedule because of a reduction in funding from the initial budget\nrequests that OBO had submitted. Although the funds available for physical security-related\nprojects may not be sufficient to cover the costs of a large project at a vulnerable post, the funds\nmay cover several smaller, needed projects at less vulnerable posts.\n\n        Minor Physical Security Upgrades. There were no formal standards or guidance for\nprioritizing minor physical security upgrade projects. OBO officials explained that OBO\ngenerally funds all minor physical security upgrade projects. When requests are received, an\nOBO manager determines whether the request is for a valid minor project. If it is a valid project,\nOBO either funds it immediately or delays the project until it is feasible. For example, if a post\nrequests multiple minor projects, OBO may fund a few of the projects initially and fund the\nremaining projects after the post completes the initial projects. OBO does not track the minor\nprojects that have been postponed. OBO officials stated that OBO ensures that pending minor\nprojects do not get overlooked by having ongoing conversation with RSOs and Desk Officers\nregarding the statuses of their minor projects. However, according to the responses to the OIG\nquestionnaire, of 117 requests for minor physical security needs, only 85 were funded, meaning\nthat 32 were not funded.\n\n        FE/BR Projects. There were no documented standards or guidance for prioritizing\nFE/BR projects. Requests for FE/BR projects are reviewed by one individual, an OBO program\nmanager. The manager makes prioritization decisions based upon several factors. Specifically,\nthe manager considers the information provided by the requesting post, such as photographs of\nfaulty equipment; the post\xe2\x80\x99s SETL threat ratings; and whether a major rehabilitation project,\nmajor upgrade project, or construction of a NEC is scheduled for that post in the near future.\n\n       When requests are received for FE/BR upgrades that cannot be funded immediately,\nOBO places the requests on out-year project schedules. Kearney reviewed the out-year project\nschedules for FY 2011 through FY 2013 and found that 31 FE/BR projects were scheduled to\nbegin during that period. Kearney evaluated the FE/BR project schedule provided by OBO to\ndetermine whether posts with a higher SETL threat rating were scheduled before posts with a\nlower rating. Kearney concluded that in general, posts with a high SETL threat rating were\nscheduled before posts with a lower rating.\n\n         Repair and Improvement Projects. OBO documented standards and guidance for\nprioritizing R&I projects. OBO\xe2\x80\x99s \xe2\x80\x9cRepair and Improvement Program Cookbook\xe2\x80\x9d provides\ndetailed instructions and operational guidance for the R&I process, including how R&I requests\nare prioritized. When R&I requests are received, Area Management Officers within OBO\xe2\x80\x99s\nOffice of Area Management score the requests by assigning weighted factors to 14 specific\ncriteria to define the level of importance of the requests. The \xe2\x80\x9cBMIS Scoring Guide\xe2\x80\x9d defines the\nscoring factors and provides recommended scores for various facility and building system\nconditions. Scored requests are reviewed and approved by OBO management. Approved\nrequests become R&I requirements, which are ordered by the priority score. The higher the\npriority score, the more likely the project will be funded.\n\n\n                                              28\n                                         UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\nCoordination Between DS and OBO Was Not Sufficient\n\n        GAO\xe2\x80\x99s \xe2\x80\x9cStandards for Internal Control in the Federal Government\xe2\x80\x9d states, \xe2\x80\x9cEffective\ncommunication should occur in a broad sense with information flowing down, across, and up the\norganization. In addition to internal communication, management should ensure there are\nadequate means of communicating with, and obtaining information from, external stakeholders\nthat may have a significant impact on the agency achieving its goals.\xe2\x80\x9d Although DS and OBO\nshare responsibility for ensuring that posts\xe2\x80\x99 physical security needs are addressed, coordination\nbetween the bureaus to establish prioritization standards was not sufficient.\n\n        Although DS is responsible for protecting Americans overseas and establishing physical\nsecurity standards, DS had not been sufficiently involved in the decision-making process to\nprioritize and fund physical security projects. DS Desk Officers are in regular communication\nwith RSOs to understand posts\xe2\x80\x99 physical security needs and the importance of funding those\nneeds. However, a DS official stated that once a post submits a formal request for physical\nsecurity funding to OBO, DS\xe2\x80\x99 Project Coordination Branch does not play a role in the\nprioritization of the major physical security upgrade projects. Because OBO is appropriated the\nfunds for addressing physical security deficiencies, OBO takes the lead in determining which\nphysical security projects will be funded and when. DS and OBO officials meet on a weekly\nbasis to discuss the requests for physical security projects that have not been funded and to gain\nan understanding as to why the requests were not funded. This meeting provides DS officials an\nopportunity to have input into the decision-making process. For example, during these meetings,\nDS may emphasize the importance of a project to OBO and explain the physical security\ndeficiencies that need to be corrected. However, there is no formal process in place for DS to\nobject to OBO\xe2\x80\x99s decisions.\n\n        Post security officials identified concerns with the lack of coordination between DS and\nOBO. For example, one respondent to OIG\xe2\x80\x99s questionnaire stated, \xe2\x80\x9cThe [l]argest problem with\nphysical security funding is that OBO . . . considers it a DS thing and DS . . . does not control\nfunding. . . . This confuses the whole process, introduces delays and makes it cumbersome.\xe2\x80\x9d It\nis essential that OBO and DS improve their process for sharing information to assist in the\ndecision-making process and work together to ensure that the best funding decisions are being\nmade.\n\n        Kearney identified several significant instances in which the lack of coordination\nbetween OBO and DS created the potential for disagreements in determining which physical\nsecurity needs should be funded. For example, OBO and DS had differing interpretations of how\nOSPB standards should be applied, the bureaus did not agree on the factors to prioritize major\nphysical security upgrade projects, and the bureaus had not established specific criteria for\nfunding physical security projects at posts scheduled to receive a NEC or undergo major\nrehabilitation.\n\n\n\n\n                                             29\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n\n          Inconsistent Interpretation of Security Standards\n\n        DS and OBO had differing interpretations of the OSPB standards. OBO officials stated\nthat OBO makes decisions on which projects to fund based on the OSPB standards in the FAH. 27\nOBO officials stated that OBO\xe2\x80\x99s priority is to bring posts that are not in compliance with OSPB\nstandards into compliance. They considered the OSPB standards to be the maximum physical\nsecurity standards required for a post and believe that projects that are not related to standards, or\nthat go \xe2\x80\x9cabove and beyond\xe2\x80\x9d the standards are difficult to prioritize. For example, OBO would\nnot normally fund physical security projects that are outside the perimeter of a compound. DS\nofficials stated that there are no policies in place to determine who has funding responsibility for\nitems outside perimeter walls. Kearney reviewed the standards and the SERM and determined\nthat, except for vehicle barriers, there were no policies requiring physical security measures\noutside the perimeter wall.\n\n        DS officials stated that they consider the OSPB standards to be the minimum\nrequirements for physical security that posts must meet and believe that there are circumstances\nin which it is necessary to go above the minimum standards. According to DS officials, high-\nthreat posts may have security needs that are above and beyond the standards listed in the FAH.\nFor example, in response to a bombing that occurred at a building near the U.S. embassy at one\npost, DS officials requested that OBO fund barriers to block off the road leading to the chancery\nentrance. However, OBO initially did not fund the request because the barriers would be placed\noutside the perimeter of the compound and were therefore not required by OSPB standards. 28 In\nanother example, in FY 2012 a post requested funding to replace or repair the \xe2\x80\x9ctire killers\xe2\x80\x9d\nlocated outside the compound perimeter because some of the spikes were not functional.\nHowever, OBO did not fund the request because funding items outside of the perimeter was not\nspecified in the standards.\n\n        Nevertheless, OBO has, in some cases, funded requests for projects that go beyond OSPB\nstandards. For example, in FY 2012 OBO funded a post\xe2\x80\x99s request to install barbed wire.\nGenerally in these cases, DS officials work with OBO officials to provide OBO a better\nunderstanding of the need for the projects. However, when OBO does decline to fund physical\nsecurity needs that DS considers essential, the DS Desk Officers attempt to identify available\nfunding that can be used. For instance, in FY 2012, the Office of Physical Security Programs\nfunded six physical security projects, totaling $259,820, that were related to perimeter security.\n\n        Of the six DS-funded physical security projects in FY 2012, four projects were for\nMission Benghazi, which received the DS-funds for minor projects in December 2011 and in\nFebruary, March, and June 2012. Communications between the requesting RSO, DS, and OBO,\nand as reported by the Benghazi Accountability Review Board, indicated that OBO did not fund\nthe requests because Benghazi was a short-term leased facility. According to the FAH, 29 OBO\xe2\x80\x99s\nprimary program to fund physical security needs, the Compound Security Program, provides\nfunding only for Government-owned and long-term leased facilities. Because the standards did\n\n27 12 FAH-5 and 12 FAH-6.\n\n\n28   According to OBO management, this project was funded in November 2012.\n\n\n29   4 FAH-1 H-520, \xe2\x80\x9cFunction Codes, Titles, and Definitions.\xe2\x80\x9d\n\n\n                                                   30\n                                              UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n\n\nnot require the funding of upgrades at short-term leased facilities, OBO did not fund the requests\nfor physical security upgrades at Benghazi. 30\n\n        On June 11, 2013, the FAH 31 was updated to state that \xe2\x80\x9c[s]tandards and measurements in\nthis handbook are the required minimum acceptable standards.\xe2\x80\x9d Clarifying the intent of OSPB\nstandards is a useful step in improving the decision-making process for physical security\nfunding. However, until DS and OBO develop a mutual understanding about the needs at posts,\nthere could be additional issues with funding of projects to correct high-risk physical security\ndeficiencies at overseas posts. In addition, to successfully prioritize physical security needs,\nobjective criteria for ranking the needs, including needs that are not required by OSPB standards,\nwould be needed.\n\n        Lack of Agreement on Prioritization Factors for Major Physical Security Upgrade\n        Projects\n\n        DS and OBO also did not agree on the factors used to prioritize major physical security\nupgrade projects. OBO primarily used the DS Risk Matrix to prioritize the projects. DS officials\nstated that the DS Risk Matrix was not an appropriate tool for prioritizing physical security\nupgrades because it was not developed for that purpose. DS developed the DS Risk Matrix to\nsupport the prioritization of posts that were scheduled to receive a new embassy under the\nCapital Security Construction Program. One DS official stated that DS\xe2\x80\x99 official position is that\nOBO\xe2\x80\x99s prioritization using the DS Risk Matrix does not align with how DS would prioritize\nupgrade projects because certain posts had physical security needs that were not reflected in the\nDS Risk Matrix. DS officials stated that they believed a different matrix should be used for\nprioritizing major physical security upgrade projects. The new matrix could include many of the\nsame factors as the DS Risk Matrix, but these factors would be weighted differently to prioritize\nphysical security upgrades. DS officials stated that they offered to create such a matrix. An\nOBO official stated that using the DS Risk Matrix to prioritize major physical upgrade projects\nwas appropriate because the matrix lists and prioritizes the posts that are not scheduled to receive\na NEC as well as the posts that are scheduled to receive a NEC. Additionally, the OBO official\nbelieved that the use of the DS Risk Matrix was reasonable because OBO does not prioritize the\nprojects solely based on the threat rankings in the DS Risk Matrix but merely uses the matrix as a\nconsideration. Nevertheless, OBO officials expressed their willingness to collaborate with DS\non developing a different tool for prioritizing major physical security upgrades.\n\n        Physical Security Projects at Posts Receiving a NEC or Undergoing Major\n        Rehabilitation\n\n        To make the most efficient use of a limited budget, OBO may defer funding physical\nsecurity needs at posts that are scheduled to receive a NEC or undergo a major rehabilitation\nproject in the near future. Although this can result in funding efficiencies, it can also leave posts\nvulnerable to threats when the planned NEC or major rehabilitation projects are delayed. Delays\n\n30 In January 2013, the Department issued guidance indicating that OSPB standards apply to all permanent, interim,\n\n\nand temporary diplomatic facilities.\n\n\n31 12 FAH-5 H-411.1, \xe2\x80\x9cMinimum Standards.\xe2\x80\x9d\n\n\n\n                                                    31\n                                               UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n\n\ncan result from changes to the list of posts scheduled to receive a NEC 32 and the inherent\ncomplexities involved with planning and executing a large-scale construction project in a high-\nrisk overseas environment. For example, the 2010 out-year schedule for major physical security\nupgrades included one post that was scheduled to receive a major upgrade in FY 2015. This post\nwas in the top 20 of the DS Risk Matrix. However, that project was deleted from the schedule in\nFY 2011 because it was added to the list of posts scheduled to receive a NEC in FY 2017; thus\nsecurity improvements would be delayed by an additional 2 years.\n\n        In response to the OIG questionnaire, some post security officials expressed concerns\nabout such delays. For example, one post security official stated, \xe2\x80\x9cWe\xe2\x80\x99re supposed to move into\na new facility, but the date keeps changing. We\xe2\x80\x99re over 2 years behind the move. Hard to get\nfunding when you\xe2\x80\x99re supposed to keep moving to a new post.\xe2\x80\x9d Another security official stated\nthat the \xe2\x80\x9cEmbassy was slated for an entire rehab in 2014 \xe2\x80\x93 since put off to 2017.\xe2\x80\x9d\n\n        An OBO official explained that there are instances in which OBO will fund minor\nprojects to temporarily address physical security needs at a post that is scheduled for a NEC or a\nmajor rehabilitation project. In addition, OBO officials stated that OBO monitors the NEC\nproject schedule and will consider funding a major upgrade project for a post with physical\nsecurity deficiencies if the NEC project is scheduled several years into the future. For example,\none post security official stated that their post \xe2\x80\x9cwas scheduled for a new embassy project in FY\n2016, but then it got pushed out to FY 2023 at which time OBO conducted a survey for a\nphysical security upgrade project now scheduled for FY 2016.\xe2\x80\x9d Kearney verified that this post\nwas added to the out-year schedule in FY 2012 for a major upgrade project in FY 2016.\n\n        OBO was also reluctant to fund physical security deficiencies at posts that had recently\nreceived a NEC. DS officials explained that physical security standards change constantly and\nthat posts can be non-compliant with security standards immediately following a major project.\nDS officials referred to this situation as the \xe2\x80\x9cmoving target principle,\xe2\x80\x9d where standards change\nbetween the time a project is planned and the time the project is completed. For example, in\nJune 2013, OIG reported 33 that multiple embassies and consulates that had received new\nembassy compounds had physical security deficiencies attributable to changes in physical\nsecurity standards since the construction of the compounds was completed. DS officials stated\nthat once a post receives a NEC, major rehabilitation project, or major security upgrade project,\nthat post would be far less likely to receive Compound Security Program funding. Although\nNECs may need physical security upgrades, OBO believes that funding has to be focused on\nolder buildings that have more OSPB deficiencies than the NECs unless there is a specific threat\nor need at a NEC.\n\n\n\n\n32 DS publishes a Vulnerability List, which ranks facilities according to their vulnerability across a wide variety of\nsecurity threats on an annual basis, as mandated by SECCA. This list is then used to establish the Top 80 list of\nposts in which NECs are needed to reduce security vulnerabilities. The Top 80 list shows which posts are scheduled\nto receive a NEC.\n33 Audit of Department of State Compliance With Physical/Procedural Security Standards at Selected High Threat\nLevel Posts (AUD-SI-13-21, Jun. 2013).\n                                                    32\n                                               UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n\nLong-Range Plan to Address Physical Security Deficiencies Was Lacking\n\n        The Department did not have a comprehensive long-range physical security plan. A\nlong-range plan helps an organization focus on critical needs and provides a sense of direction\nand purpose. Long-range plans also make day-to-day operations more effective and can be used\nas the vehicle to guide decision-making for spending.\n\n        Although the Department did not have a long-range plan to address physical security\ndeficiencies, OBO developed and issued a Long-Range Plan that provided detailed information,\npost by post on new construction projects and needed repairs and improvements. 34 According to\nOBO, the Long-Range Plan is needed to communicate and coordinate maintenance and\noperations needs to stakeholders\xe2\x80\x94specifically, it helps stakeholders better understand how OBO\nis addressing challenges and identifying long-term needs. The Long-Range Plan also collocates\nprojects and maintenance needs in one document, serves as a budget tool, and supports long-term\nstrategic efforts.\n\n         Kearney reviewed the Long-Range Overseas Maintenance Plan issued in 2010 and found\nthat it included some compound security upgrade projects for posts; however, almost all of these\nprojects were for the installation of mantraps and compound access controls and for FE/BR\nupgrades. The security standards for these three areas were upgraded, thus OBO included the\nnew requirements in the long-range plan. However, existing physical security needs were not\nincluded in the long-range plan.\n\n        Although OBO maintained various informal lists detailing when certain physical security\nprojects would be funded, it did not have a plan that illustrated physical security deficiencies, the\npriority of the deficiencies, and the cost of addressing those deficiencies. Physical security\ndeficiencies are a high-priority issue that should have equal or greater focus than construction or\nmaintenance projects. Having a Long-Range Physical Security Plan would be beneficial to\nOBO, DS, and all other stakeholders interested in the Department\xe2\x80\x99s physical security needs, and\nit would increase the transparency of the funding process.\n\nImportant Physical Security Needs Might Not Have Been Funded, and Accountability Was\nLacking\n\n         Without complete information on all physical security needs at overseas posts, the\nDepartment cannot ensure that it funds the highest priority needs. The Department cannot\nobjectively make a determination about which projects are high priority without a comprehensive\nlist of all physical security needs. Significant physical security deficiencies at all posts, or less\nsignificant deficiencies that may create a greater risk at higher threat posts, may not be funded\nand corrected, leaving some posts more vulnerable to threats. The lack of formal prioritization\nprocesses and standards may also result in inconsistent funding decisions on similar physical\nsecurity deficiencies at posts.\n\n\n34 Prior to 2012, OBO issued two separate plans\xe2\x80\x94the Long-Range Overseas Buildings Plan and the Long-Range\nOverseas Maintenance Plan.\n                                                33\n                                           UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n        In addition, accountability cannot be established without documentation supporting all\npost requests, both informal and formal, and the disposition, including the denial, of those\nrequests. Some RSOs expressed concerns that they might be held accountable if they did not\nmake a formal request and an adverse event happened at their post. For example, one post\nsecurity official stated that because the Department did not always send formal denials for\nrequests for physical security funding, the posts ended up \xe2\x80\x9cstuck holding the responsibility if\nsomething happens.\xe2\x80\x9d This official stated that they believed that DS or OBO should be \xe2\x80\x9cforced to\nsend a formal denial\xe2\x80\x9d rather than the post being put in \xe2\x80\x9cthe position of . . . I talked to DS/OBO\nand they said no.\xe2\x80\x9d Another respondent stated, \xe2\x80\x9cRSOs have no real mechanism to force OBO . . .\nto take appropriate action.\xe2\x80\x9d The lack of documentation of all decisions made during the request\nand prioritization processes will also make it difficult to identify breakdowns in the processes\nand correct them before attacks occur.\n\n       Further, if RSOs are discouraged from requesting funding for a physical security need or\ndo not understand the prioritization processes and why their requests are denied, RSOs may not\ninform or communicate all physical security needs and deficiencies to their respective Desk\nOfficers. This could create an environment in which RSOs feel that they can report only certain\ntypes of physical security needs, thereby leaving posts, especially high-threat posts, more\nvulnerable to threats.\n\n        The lack of coordination between DS and OBO may also create confusion about which\nbureau is responsible for addressing physical security deficiencies outside of OSPB standards,\nwhat risk factors should be considered when determining which projects to fund, and how to\nhandle physical security deficiencies at posts where future work is planned. Both DS and OBO\nare ultimately responsible for ensuring that U.S. Government employees are safe and secure at\noverseas facilities. Therefore, it is essential that decisionmakers have the most up-to-date\ninformation from both DS and OBO on the current environment at the 280 overseas locations to\nensure that informed physical security funding decisions are made.\n\n       Recommendation 4. OIG recommends that the Bureau of Diplomatic Security (DS), in\n       coordination with the Bureau of Overseas Buildings Operations (OBO), develop and\n       implement a process to collect and maintain a comprehensive list of all posts\xe2\x80\x99 physical\n       security-related deficiencies. The list of physical security deficiencies should include all\n       needs, not just those that have been approved or instances of non-compliance with\n       standards. The process should also require that the list be updated when new physical\n       security deficiencies are identified. If DS and OBO elect to use the DS SharePoint Tool\n       as the basis for maintaining a list of physical security needs, DS should ensure that\n       OBO\xe2\x80\x99s requirements are integrated into the development of the tool and that OBO has\n       sufficient access to the information.\n\n       DS Response: DS concurred with the recommendation, stating that it had deployed a\n       Physical Security Survey site, which, in addition to its Project Management Solution,\n       \xe2\x80\x9cwill provide a comprehensive list of physical security deficiencies.\xe2\x80\x9d However, DS noted\n       that the \xe2\x80\x9cphysical security requirements are based upon standards set forth by\xe2\x80\x9d OSPB.\n       DS further stated that the recommendation is \xe2\x80\x9cvery inclusive\xe2\x80\x9d and \xe2\x80\x9cdoes not take into\n       account the difference between \xe2\x80\x98needs\xe2\x80\x99 and \xe2\x80\x98wants,\xe2\x80\x99\xe2\x80\x9d which \xe2\x80\x9cwould add an un-vetted\n                                                34\n                                        UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\nrequest and label it as a security deficiency.\xe2\x80\x9d DS added that it planned to \xe2\x80\x9cmeet with\nOBO to determine OBO requirements to be considered for integration into the new\xe2\x80\x9d\nSharePoint Tool.\n\nOBO Response: OBO stated that \xe2\x80\x9cthe list of physical security deficiencies should\nconsist of valid deficiencies vetted by DS against the appropriate\xe2\x80\x9d standards. OBO stated\nthat this would \xe2\x80\x9cprovide a validated universe of requirements to be addressed, with new\nvalid requirements added as they are identified.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation unresolved. OIG agrees that the list\nof physical security deficiencies to be maintained by the Department should include only\n\xe2\x80\x9cvalid\xe2\x80\x9d deficiencies. However, there seems to be a discrepancy between what DS, OBO,\nand OIG consider to be \xe2\x80\x9cvalid\xe2\x80\x9d physical security deficiencies. The list of deficiencies\nmaintained by the Department should include any instance when the physical security at\na post is not in accordance with OSPB standards, as suggested by DS and OBO.\nHowever, OIG believes the list should also include instances where the condition of the\nphysical security-related equipment or structure no longer allows the item to function\nproperly, which is not always considered a deficiency by the Department. For example,\nduring the exit conference, one DS official suggested that if a FE/BR door had a broken\nlock, it should not be considered a physical security deficiency, because the existence of a\nFE/BR door meant that OSPB standards were met. The DS official considered the\nbroken lock to be a maintenance issue, not a physical security deficiency, and did not\nbelieve that it was necessary to track this item as a physical security deficiency. In\naddition, as explained in the report, posts may have physical security deficiencies that are\nnot addressed by OSPB standards.\n\nThe Department should maintain a comprehensive list of all physical security-related\ndeficiencies. The list could identify those that have not been approved, are maintenance\nrelated, or are not required by standards. However, these deficiencies should be included\nin a comprehensive and transparent list, and these items should be considered when\nmaking decisions on which deficiencies have the highest priority for funding. OIG will\nresolve this recommendation once DS, in coordination with OBO, agrees to develop and\nimplement a process to collect and maintain a comprehensive list of all posts physical\nsecurity-related deficiencies, not just one type of deficiency.\n\nRecommendation 5. OIG recommends that the Bureau of Diplomatic Security develop\nan implementation plan for the new SharePoint physical security survey tool. This\nimplementation plan should establish a reasonable deadline for all posts to populate the\ntool with information on physical security deficiencies and should ensure that the tool has\nthe functionality needed to generate sufficient reports in order to more easily determine\nposts\xe2\x80\x99 physical security needs.\n\nDS Response: DS concurred with the recommendation, stating that it \xe2\x80\x9chas established an\nimplementation timeline.\xe2\x80\x9d DS further stated that it had \xe2\x80\x9cdeployed the physical security\nsurvey site four months ago\xe2\x80\x9d and that its goal was to survey all Chief of Mission facilities\n\xe2\x80\x9cwithin three years.\xe2\x80\x9d\n                                         35\n                               UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n\n\nOIG Analysis: OIG considers the recommendation unresolved. The recommendation\nrequired DS to develop an implementation plan for the SharePoint physical security\nsurvey tool. One component of an implementation plan would be timeframes for\nimplementation, but there are many other items that should be a part of an effective\nimplementation plan. For example, the plan would include details of how the tool would\nbe used across DS offices as well as by OBO. The plan would also ensure that the\nSharePoint tool had the functionality to generate sufficient reports related to physical\nsecurity deficiencies. OIG will resolve this recommendation once DS agrees to develop a\ncomprehensive implementation plan for the SharePoint physical security survey tool.\n\nRecommendation 6. OIG recommends that the Bureau of Overseas Buildings\nOperations develop and implement a formal process to document all formal requests\nmade by posts for physical security funding, not just the requests that have been funded\nor approved, and the disposition of those requests.\n\nOBO Response: OBO concurred with the recommendation, noting that \xe2\x80\x9cfunding will be\npart of the overall process developed\xe2\x80\x9d for Recommendation 1.\n\nOIG Analysis: OIG considers the recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that OBO has\ndeveloped and implemented a process to document all formal requests for funding and\nthe disposition of those requests.\n\nRecommendation 7. OIG recommends that the Bureau of Diplomatic Security develop\nand implement a formal standardized process to vet informal physical security-related\nfunding requests made by posts, which would include documenting all informal requests\nmade by posts for physical security funding, not just the requests that have been\napproved, and the disposition of those requests.\n\nDS Response: DS concurred with the intent of the recommendation but suggested that\nthe recommendation be reworded \xe2\x80\x9cto state that DS does not have \xe2\x80\x9cinformal\xe2\x80\x9d requests and\nall formal requests\xe2\x80\x9d are reviewed as outlined in its response to Recommendation 1.\n\nOIG Analysis: OIG considers the recommendation unresolved. DS did have an\ninformal process in place to vet posts\xe2\x80\x99 requests before the RSO could submit a formal\nrequest for funding. RSOs and Desk Officers discuss a post\xe2\x80\x99s physical security needs. In\nsome cases, the Desk Officer tells the post not to submit a formal request because the\nDesk Officer believes that it will not be funded. Because this is an informal process,\nthere is no assurance of consistency in decisions being made about what should be\nsubmitted for funding. In addition, the Department does not have a comprehensive list of\nwhat posts have identified as deficiencies or an accurate report of the disposition of the\ndeficiencies, which makes accountability for decisions made on funding more difficult to\ndetermine. OIG will resolve this recommendation once DS agrees to develop and\nimplement a formal standardized process to vet informal physical security-related\nfunding requests made by posts.\n                                          36\n                                 UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n\n\nRecommendation 8. OIG recommends that the Bureau of Overseas Buildings\nOperations, in coordination with the Bureau of Diplomatic Security, develop and\nimplement formal standardized processes to prioritize physical security-related\ndeficiencies at posts by category, such as major physical security upgrades, forced\xc2\xad\nentry/ballistic-resistant projects, and minor physical security upgrades. The\nprioritizations should be performed based on a comprehensive list of all physical security\nneeds and should be periodically updated based on changes in risk factors or posts\xe2\x80\x99\nneeds. The processes used to perform the prioritizations should be documented and\nrepeatable. In addition, in developing the processes, consideration should be given to\nhow the Overseas Security Policy Board standards will be utilized, what risk factors will\nbe considered, and what impact upcoming major rehabilitation projects or new\nconstruction would have on the prioritized rankings.\n\nOBO Response: OBO concurred with the recommendation. However, OBO stated that\n\xe2\x80\x9cthe prioritization should be performed on a comprehensive list of DS validated\ndeficiencies.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation resolved based on OBO\xe2\x80\x99s\nconcurrence. This recommendation can be closed when OIG reviews and accepts\ndocumentation showing that OBO, in coordination with DS, has developed and\nimplemented formal standardized processes to prioritize physical security-related\ndeficiencies. OIG agrees that OBO should not prioritize physical security-related\ndeficiencies that DS has determined are not valid deficiencies. However, OIG again\nemphasizes that the list of physical security-related deficiencies should be comprehensive\nand should note the disposition of the deficiencies, including those determined by DS to\nnot be valid and which OBO will not include in its prioritization process.\n\nRecommendation 9. OIG recommends that the Bureau of Diplomatic Security (DS), in\ncoordination with the Bureau of Overseas Buildings Operations (OBO), better define the\nroles and responsibilities of each bureau to ensure that both bureaus are fully involved in\nthe process to prioritize and fund physical security needs at posts. As part of developing\nthese roles and responsibilities, a process should be established to have a neutral party\nreview and make decisions when disagreements arise about funding decisions between\nOBO and DS.\n\nDS Response: DS concurred with the intent of the recommendation but stated that \xe2\x80\x9cDS\nand OBO work collaboratively\xe2\x80\x9d to ensure that the \xe2\x80\x9cproper State Operations appropriation\nis used to fund physical security upgrades.\xe2\x80\x9d\n\nOBO Response: OBO concurred with the recommendation \xe2\x80\x9cwith the exception of the\nneutral party.\xe2\x80\x9d OBO stated that it did not think there were \xe2\x80\x9cfunding decisions\xe2\x80\x9d that could\nnot be resolved between OBO and DS; however, if there were, the Under Secretary for\nManagement would make the decision.\n\n\n                                     37\n                                UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n\nOIG Analysis: OIG considers the recommendation resolved. This recommendation can\nbe closed when OIG reviews and accepts documentation showing that DS and OBO have\nbetter defined roles and responsibilities to ensure that both bureaus are fully involved in\nthe process to prioritize and fund physical security needs at posts. DS and OBO should\ninclude a description of the Under Secretary for Management\xe2\x80\x99s role in the process.\n\nRecommendation 10. OIG recommends that the Bureau of Overseas Buildings\nOperations, in coordination with the Bureau of Diplomatic Security, develop and issue a\nLong-Range Physical Security Plan.\n\nOBO Response: OBO did not concur with the recommendation, stating that its existing\nLong-Range Plan \xe2\x80\x9cincludes Compound Security Program project details and funding\ntotals post by post, where applicable.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation unresolved. As OIG noted in the\nreport, OBO\xe2\x80\x99s Long-Range Plan included some compound security program projects.\nHowever, the Plan did not include all physical security-related deficiencies. An\nacceptable alternative to developing a separate long-range physical security plan would\nbe to expand the existing Long-Range Plan to include all physical security-related\ndeficiencies. OIG will resolve this recommendation when OBO, in coordination with\nDS, agrees to develop and issue a Long-Range Physical Security Plan.\n\n\n\n\n                                     38\n                                UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n                                 List of Recommendations\n\n\nRecommendation 1. OIG recommends that the Bureau of Diplomatic Security, in coordination\nwith the Bureau of Overseas Buildings Operations, develop and implement standard policies and\nprocedures for requesting funds for physical security-related needs and document the policies\nand procedures in a manner that is easily accessible by post security officials (for example, in a\n\xe2\x80\x9cphysical security funding handbook\xe2\x80\x9d). Consideration should be given to how the SharePoint\ntool currently in development can be used to simplify the request processes.\n\nRecommendation 2. OIG recommends that the Bureau of Overseas Buildings Operations\ndevelop and implement a process to respond to posts\xe2\x80\x99 formal requests for physical security-\nrelated funding, which should include commitments to respond within certain timeframes.\n\nRecommendation 3. OIG recommends that the Bureau of Diplomatic Security develop and\nimplement a methodology to periodically communicate the processes to request funds for\nphysical security-related needs to all post security officials.\n\nRecommendation 4. OIG recommends that the Bureau of Diplomatic Security (DS), in\ncoordination with the Bureau of Overseas Buildings Operations (OBO), develop and implement\na process to collect and maintain a comprehensive list of all posts\xe2\x80\x99 physical security-related\ndeficiencies. The list of physical security deficiencies should include all needs, not just those\nthat have been approved or instances of non-compliance with standards. The process should also\nrequire that the list be updated when new physical security deficiencies are identified. If DS and\nOBO elect to use the DS SharePoint Tool as the basis for maintaining a list of physical security\nneeds, DS should ensure that OBO\xe2\x80\x99s requirements are integrated into the development of the tool\nand that OBO has sufficient access to the information.\n\nRecommendation 5. OIG recommends that the Bureau of Diplomatic Security develop an\nimplementation plan for the new SharePoint physical security survey tool. This implementation\nplan should establish a reasonable deadline for all posts to populate the tool with information on\nphysical security deficiencies and should ensure that the tool has the functionality needed to\ngenerate sufficient reports in order to more easily determine posts\xe2\x80\x99 physical security needs.\n\nRecommendation 6. OIG recommends that the Bureau of Overseas Buildings Operations\ndevelop and implement a formal process to document all formal requests made by posts for\nphysical security funding, not just the requests that have been funded or approved, and the\ndisposition of those requests.\n\nRecommendation 7. OIG recommends that the Bureau of Diplomatic Security develop and\nimplement a formal standardized process to vet informal physical security-related funding\nrequests made by posts, which would include documenting all informal requests made by posts\nfor physical security funding, not just the requests that have been approved, and the disposition\nof those requests.\n\nRecommendation 8. OIG recommends that the Bureau of Overseas Buildings Operations, in\ncoordination with the Bureau of Diplomatic Security, develop and implement formal\n                                              39\n                                      UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\nstandardized processes to prioritize physical security-related deficiencies at posts by category,\nsuch as major physical security upgrades, forced-entry/ballistic-resistant projects, and minor\nphysical security upgrades. The prioritizations should be performed based on a comprehensive\nlist of all physical security needs and should be periodically updated based on changes in risk\nfactors or posts\xe2\x80\x99 needs. The processes used to perform the prioritizations should be documented\nand repeatable. In addition, in developing the processes, consideration should be given to how\nthe Overseas Security Policy Board standards will be utilized, what risk factors will be\nconsidered, and what impact upcoming major rehabilitation projects or new construction would\nhave on the prioritized rankings.\n\nRecommendation 9. OIG recommends that the Bureau of Diplomatic Security (DS) and the\nBureau of Overseas Buildings Operations (OBO) better define the roles and responsibilities of\neach bureau to ensure that both bureaus are fully involved in the process to prioritize and fund\nphysical security needs at posts. As part of developing these roles and responsibilities, a process\nshould be established to have a neutral party review and make decisions when disagreements\narise about funding decisions between OBO and DS.\n\nRecommendation 10. OIG recommends that the Bureau of Overseas Buildings Operations, in\ncoordination with the Bureau of Diplomatic Security, develop and issue a Long-Range Physical\nSecurity Plan.\n\n\n\n\n                                             40\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n\n\n                                                                                                   Appendix A\n\n                                       Scope and Methodology\n        The Office of Inspector General (OIG) contracted with Kearney & Company, P.C., to\nconduct a performance audit of the processes used by overseas posts to request funds for\nphysical security-related activities and the processes used by the Department of State\n(Department) to determine which requests for physical security-related activities to fund.\nSpecifically, the objectives of this audit were to identify the FY 2012 funding mechanisms and\namounts expended for physical security-related activities at Department-owned or -operated\nbuildings overseas, determine whether the process for posts to request funds for physical security\nneeds at Department-owned or -operated buildings was easy to use and was understood by post\nsecurity officials, and determine to what extent the Department used physical security funds for\nhigh-priority physical security needs at overseas posts during FY 2012.\n\n        Kearney conducted fieldwork for this audit from March to August 2013 at the Bureaus of\nDiplomatic Security (DS), Overseas Buildings Operations (OBO), and Budget and Planning.\nKearney planned and performed this audit in accordance with requirements in the Government\nAccountability Office\xe2\x80\x99s Government Auditing Standards. Those standards require that Kearney\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for the findings and conclusions based on the audit objectives. Kearney believes that the\nevidence obtained provides a reasonable basis for the findings and conclusions based on the audit\nobjectives.\n\n        To obtain background information for this audit, Kearney researched and reviewed the\nU.S. Code; the Department\xe2\x80\x99s Foreign Affairs Manual and Foreign Affairs Handbook, including\nthe Overseas Security Policy Board standards; the Security Environment Threat List; the Long\nRange Overseas Maintenance Plan; prior OIG and Government Accountability Office reports;\nand information available on the Department\xe2\x80\x99s Intranet. Kearney reviewed OBO\xe2\x80\x99s Repair and\nImprovement Program Cookbook and the Buildings Management Integrated System (BMIS)\noverview of the Repair and Improvement program to gain an understanding of the process used\nto request funds. Kearney obtained the Basic Regional Security Officer course curriculum and\nmaterials to gain an understanding of the degree to which Regional Security Officers (RSO) are\ntrained on the process to request funds for physical security needs.\n\n        Kearney met with officials from the Bureau of Budget and Planning and OBO to obtain\nan understanding of the sources of funds the bureaus used to address physical security needs at\nDepartment-owned or -operated buildings overseas and the fiscal codes used to record overseas\nphysical security transactions in the Department\xe2\x80\x99s accounting system. Based on the information\nobtained, Kearney identified the fund codes that the Department used for physical security needs.\nKearney also identified the function codes 1 that were specific to physical security-related\nactivities. Kearney used this information to identify the amounts expended for physical security-\nrelated activities overseas. Specifically, Kearney obtained a detailed transaction listing of\n\n1Function codes are codes used to identify and report on the type of expenses related to the Department\xe2\x80\x99s programs\nand activities.\n                                                   41\n                                              UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\nFY 2012 expense activity from the Department\xe2\x80\x99s domestic accounting system, the Global\nFinancial Management System (GFMS). Using the security-related fund codes, Kearney\nsummarized the expense activity by program to identify security-related expenditures. Kearney\nthen determined the expenses specifically related to physical security using the identified\nfunction codes.\n\n       Kearney met with DS and OBO officials to obtain an understanding of the processes for\nrequesting and prioritizing physical security-related activities at overseas posts. Specifically,\nKearney met with officials in OBO\xe2\x80\x99s Program Security Operations Branch, OBO\xe2\x80\x99s Office of\nArea Management, DS\xe2\x80\x99 Project Coordination Branch, and DS\xe2\x80\x99 Office of Overseas Protective\nOperations to gain an understanding of their roles and responsibilities in the physical security\nfunding process. Kearney also obtained an understanding of the Compound Security Program\nand the types of physical security requests funded from officials in OBO\xe2\x80\x99s Program Security\nOperations Branch, as well as this branch\xe2\x80\x99s process for receiving and prioritizing requests.\n\n       Kearney met with various officials from OBO\xe2\x80\x99s Office of Area Management to determine\nwhether they fund any aspects of physical security as part of the Repair and Construction\nProgram, as well as to learn more about BMIS and how it is used. Kearney met with officials\nfrom both the Forced-Entry/Ballistic-Resistant and Mechanical Engineering Divisions, each of\nwhich manage subprograms within the Compound Security Program, to determine the specific\naspects of compound security upgrades they fund and their process for receiving and prioritizing\nrequests. Kearney met with officials overseeing OBO\xe2\x80\x99s Value Engineering programs to obtain\ninformation on the value engineering review of all OBO projects and on whether the review has\nhad any significant impact on physical security projects.\n\n        Kearney also met with DS Desk Officers from the Project Coordination Branch to obtain\nan understanding of their role in facilitating and funding physical security requests. Kearney met\nwith officials from DS\xe2\x80\x99 Overseas Support Branch to learn if that branch, which is responsible for\nfunding most technical security needs at overseas posts, also funded any aspects of physical\nsecurity. Kearney met with DS\xe2\x80\x99 Office of Regional Directors to learn more about their role in\ncollecting and reviewing security surveys conducted by post security officials. Kearney met with\nDS\xe2\x80\x99 Office of Overseas Protective Operations to gain an understanding of whether that office\nfunds physical security other than through the Residential Security Program. Kearney met with\nofficials from DS\xe2\x80\x99 Physical Security Division to learn about the new SharePoint site that DS was\ncreating that will host and retain physical security surveys conducted by post security officials.\n\n        To determine whether the process for posts to request funds for physical security-related\nneeds was easy to use and was understood, Kearney, in conjunction with OIG, distributed a\nquestionnaire to post security officials. Information on the methodology used to develop and\ndistribute the questionnaire is included in the section \xe2\x80\x9cDetailed Questionnaire Methodology\xe2\x80\x9d in\nthis appendix.\n\n        To determine the extent to which the Department used physical security funds for high-\npriority physical security needs, Kearney requested a comprehensive list of all posts\xe2\x80\x99 physical\nsecurity-related deficiencies and a list of posts\xe2\x80\x99 FY 2012 requests. However, these lists were not\nmaintained by the Department. In addition, Kearney requested, but was unable to obtain,\n                                                   42\n                                          UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n\n\nstandard documented criteria for prioritizing the physical security deficiencies and requests.\nWithout this information, Kearney was not able to select a sample of post physical security\ndeficiencies and requests and duplicate the prioritization process. As a result, Kearney could not\ndetermine the extent to which high-priority physical needs were funded.\n\nUse of Computer-Processed Data\n\n        The audit team used computer-processed data obtained from the Department during this\naudit. Kearney obtained the FY 2012 trial balance for the Department and details of\nexpenditures made by the Department during FY 2012 from the Department\xe2\x80\x99s domestic financial\nmanagement system, GFMS. The objectives of this audit were not to ensure the accuracy of\nexpenditures made. The information was instead used to try to determine the amount spent\nduring FY 2012 on physical security-related activities. Therefore, Kearney did not perform tests\nof controls or substantive testing of the expenditure information obtained from GFMS to assess\ndata reliability. However, GFMS is used to prepare the annual financial statements, which are\naudited. Based on how the information was used in this report, Kearney determined that the data\nwas sufficiently reliable for its needs.\n\n        Kearney obtained reports from BMIS to determine whether requests from high-priority\nposts existed for FY 2012 that had not been addressed, scheduled, or funded by the Department.\nHowever, Kearney noted that BMIS was not used to its maximum extent for tracking physical\nsecurity needs, and the information in the reports did not reflect the current status of potential\nprojects. Therefore, Kearney did not validate the information provided and did not use data from\nBMIS to draw conclusions.\n\nWork Related to Internal Controls\n\n        Kearney performed steps to assess the adequacy of internal controls related to the areas\naudited. For example, Kearney identified control deficiencies that led to its findings related to\nthe Department\xe2\x80\x99s processes to request funding for and prioritize physical security needs. Work\nperformed on internal controls during the audit is detailed in the section \xe2\x80\x9cAudit Results\xe2\x80\x9d of the\nreport.\n\nDetailed Questionnaire Methodology\n\n        The primary objective of the questionnaire was to obtain feedback from post security\nofficials as to whether the process to request funds for physical security needs at overseas\nbuildings was clear and easy to use. OIG requested that responses be limited to funding for\nphysical security-related needs. OIG\xe2\x80\x99s SharePoint 2 specialist developed and placed the\nquestionnaire on SharePoint. As post security officials completed and submitted their responses,\nKearney viewed and collected those responses via SharePoint.\n\n\n2SharePoint is a Microsoft web application platform that provides intranet portals, document and file management\ncollaboration, system migration, process integration, and workflow capabilities.\n\n                                                   43\n                                              UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n       Identification of Regional Security Officers\n\n        OIG obtained a DS Telephone List, dated July 19, 2013, from the DS Intranet site to\nidentify RSOs. If the RSO position for a post was vacant on the DS Telephone List, OIG used\nthe Department\xe2\x80\x99s Telephone Directory of Key Officers List, dated July 22, 2013, which was\nobtained from the Department\xe2\x80\x99s Intranet site, to identify the RSO at that location. If there was\nno RSO listed on either of these lists, OIG identified the next security officer listed for that post,\nsuch as the Deputy RSO or the Security Analyst.\n\n        OIG emailed the questionnaire with instructions for completion to the 218 security\nofficials identified. In some cases, OIG received a response to the email with an auto-reply\nmessage that the individual either had transferred from the post or would be out of the office past\nthe date of the questionnaire\xe2\x80\x99s deadline. In these cases, OIG replaced the original addressee by\nemailing the questionnaire to the next security official on the DS Telephone list or to the\nalternate person identified in the auto-reply message.\n\n       Completed Questionnaires\n\n        Of 218 questionnaires distributed to post security officials, OIG received 133 completed\nquestionnaires, for a response rate of 61 percent. Kearney collected the completed\nquestionnaires via SharePoint and exported the data to an Excel spreadsheet for analysis. Of 133\nquestionnaires received, Kearney excluded one from its aggregate analysis because a response to\none question contradicted another, along with the fact that the most of the questionnaire had not\nbeen completed. As a result, Kearney analyzed 132 completed questionnaires. The survey and\nthe survey results are provided in Appendix B.\n\n\n\n\n                                              44\n                                         UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n                                                                                      Appendix B\n\n\n                                           United States Department of State\n                                           and the Broadcasting Board of Governors\n\n                                           Office of Inspector General\n\n\n\n                           Physical-Security Funding Questionnaire\n\nThe Office of Inspector General (OIG), Office of Audits, is conducting an audit of the process\nused by posts to request funding for physical security-related needs. OIG is requesting that you\ncomplete a questionnaire on this subject.\n\nRSOs at Critical/High Threat posts previously received an OIG questionnaire in January 2013,\nrelated to improving security at critical and high threat posts. That OIG questionnaire included\na few questions related to funding needs. After it received the responses to the preliminary\nquestionnaire, OIG made a decision to significantly expand its work related to funding to include\nan assessment of the process used by all posts to request funding for any physical security need.\n\nThe purpose of the current questionnaire is to obtain feedback from post officials as to whether\nthe process for posts to request funds for physical security needs at overseas buildings is\nunderstandable and easy to use. Although OIG is sending this questionnaire to RSOs, we\nencourage RSOs to obtain additional information from other post officials, such as the Facilities\nMaintenance Officer, in order to provide complete information on the process used by posts to\nrequest funding for physical security needs. If an RSO is responsible for more than one post,\nOIG requests the responses address funding issues solely at the primary post for which the RSO\nis responsible.\n\nOIG is requesting that responses be limited to funding for physical security-related needs. For\npurposes of this questionnaire, OIG defines \xe2\x80\x9cphysical security\xe2\x80\x9d as measures designed to deny\naccess to unauthorized personnel (including attacks or intruders) from facilities and to safeguard\npersonnel working in those facilities. Physical security includes concrete, tangible measures to\ndeter access, such as locked doors, perimeter fences, or other barriers. Technical or Procedural\nSecurity needs are not being covered by this audit. In addition, short-term leased, residential\nproperty is not included in this audit.\n\nThis questionnaire is intended as an initial data-gathering tool. OIG will not issue\nrecommendations based solely on the responses to this questionnaire. This questionnaire should\ntake approximately 15 minutes to complete. However, some requested information may need to\nbe obtained from other sources within the Embassy. Please complete the questionnaire by\nmarking the desired choice or typing in a response when required. Space has been provided at\nthe end of the questionnaire for any additional comments you might want to make.\n\n                                             45\n                                        UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n\nKearney Notes:\n\n   1.\t\t Responses are first expressed in raw totals enclosed by parenthesis followed by\n\n\n        percentages, unless specified otherwise. \n\n   2.\t\t The number of responses to each question is not identical because respondents did not\n        answer all questions and some questions allowed multiple answers.\n   3.\t\t Percentages may not add to 100 due to rounding.\n   4.\t\t For Questions 8, 9, and 11-19, asterisks indicate that \xe2\x80\x9cNot applicable\xe2\x80\x9d responses were\n        filtered from the data for clarity of the analysis and presentation. Only respondents\n        actually providing assessments were included in calculating the percentages reported.\n\n\n\n\n                                           46\n                                      UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n\n1. What is your position at post? (Please select one.)\n\n   1. \t[(104) 79%] Regional Security Officer\n   2. \t[(3) 2%] Deputy Regional Security Officer\n   3. \t[(21) 16%] Assistant Regional Security Officer\n   4. \t[(0) 0%] Post Security Officer\n   5. \t[(4) 3%] Other\n\n2. \tApproximately how many years of experience do you have in Department of State security\n    matters?        years\n\n   Responses averaged 13 years of experience.\n\n3. \tDid your post have any physical security-related needs in FY 2012?\n\n   1. \t[(83) 63%] Yes\n   2. \t[(49) 37%] No\n\n4. What was the reason(s) for the physical security-related need(s) of your post in FY 2012?\n   (Please select all that apply.)\n\n   1. \t[(71)] Existing deficiencies\n   2. \t[(38)] Normal deterioration of the facility\n   3. \t[(22)] New physical security requirements established\n   4. \t[(18)] Increase in physical security-related risks at post\n   5. \t[(7)] Other\n\n5. \tDid your post formally request funding for any of these physical security-related needs during\n   FY 2012?\n\n   1. \t[(59) 71%] Yes\n   2. \t[(24) 29%] No\n\n6. \tPlease provide the reason(s) for not formally requesting funding for all needs. (Please select\n    all that apply; only select \xe2\x80\x9cNot applicable\xe2\x80\x9d if your post formally requested funds for all of its\n    FY 2012 physical security-related needs.)\n\n   1. \t[(8)] Post chose to fund need using post funds\n   2. \t[(8)] Post did not believe that the need would be funded\n   3. \t[(4)] Post was advised by Department officials in Washington not to request funds\n   4. \t[(3)] Funds for same need were requested previously and denied\n   5. \t[(4)] Post received waiver/exception for physical security-related need\n   6. \t[(2)] Post considered process to request funds confusing or difficult\n   7. \t[(30)] Other\n   8. \t[(37)] Not applicable.\n\n                                              47\n                                         UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n7. \t Please complete the table below regarding the physical security-related needs of your post\n     in FY 2012. (Please provide the \xe2\x80\x9cNumber of Needs\xe2\x80\x9d for each type of security need; insert\n     \xe2\x80\x9cNA\xe2\x80\x9d for \xe2\x80\x9cNot applicable\xe2\x80\x9d in the columns only if you post did not make any formal\n     requests to the Department for funds.)\n\nFor purposes of this questionnaire, OIG is using the following definitions:\n\n   \xe2\x80\xa2\t\t Minor Physical Security Upgrade \xe2\x80\x93 Post-managed projects with upgrades to perimeter\n       protection, facility protection, and interior protection to bring deficient facilities into\n       compliance with OSPB standards. Generally less than $250,000.\n   \xe2\x80\xa2\t\t Major Physical Security Upgrade \xe2\x80\x93 OBO-managed projects with upgrades to perimeter\n       protection, facility protection, and interior protection to bring deficient facilities into\n       compliance with OSPB standards. Generally more than $250,000.\n   \xe2\x80\xa2\t\t Repair and Improvement \xe2\x80\x93 Projects to restore deteriorated or damaged property to its\n       original condition or increase a property\xe2\x80\x99s value or change its use.\n   \xe2\x80\xa2\t\t Other Security Issues \xe2\x80\x93 Any projects relating to physical security that are not\n       encompassed by the previous categories, such as upgrades that are not related to OSPB\n       standards but may be warranted given special circumstances at an overseas post.\n\n                                                      Number of              Number of\n       Type of Security-          Number of\n                                                      Requests to         Requests Funded\n        Related Need                Needs\n                                                      Fund Needs         by the Department\n    Minor Physical Security      [Range: 0\xe2\x80\x9312]       [Range: 0\xe2\x80\x9310]            [Range: 0\xe2\x80\x9310]\n    Upgrades\n    Major Physical Security      [Range: 0\xe2\x80\x936]         [Range: 0\xe2\x80\x935]            [Range: 0\xe2\x80\x935]\n    Upgrades\n    Repair and Improvement       [Range: 0\xe2\x80\x9320]       [Range: 0\xe2\x80\x9310]            [Range: 0\xe2\x80\x9310]\n    Other Security Issues\n    Please Specify in the box    [Range: 0\xe2\x80\x935]         [Range: 0\xe2\x80\x932]            [Range: 0\xe2\x80\x932]\n    provided, which will\n    expand.\n\n8. \t For approximately what percentage of formal requests that were not funded did the post\n     receive an explanation from Department officials in Washington? (Please insert the\n     percent in the box below; only select \xe2\x80\x9cNot applicable\xe2\x80\x9d if your post\xe2\x80\x99s formal requests were\n     always funded or your post did not make any formal requests.)\n\n   [Responses averaged 44%]             percent\n   [*]   Not applicable\n\n\n\n\n                                             48\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n\n9. Generally, how adequate or inadequate were the responses from Department officials in\nWashington as to why formal requests were not funded? (Please select one; only select \xe2\x80\x9cNot\napplicable\xe2\x80\x9d if your post never received a response or your post did not make any formal\nrequests.)\n\n   1. [(8) 24%] Very adequate\n   2. [(5) 15%] Somewhat adequate\n   3. [(7) 21%] Neither adequate nor inadequate\n   4. [(5) 15%] Somewhat inadequate\n   5. [(9) 26%] Very inadequate\n   6. [*] Not applicable\n\n10. \tFor formal requests for physical security funding made by the post that were not funded, in\n     what manner was post notified that the request was denied? (Please select all that apply;\n     only select \xe2\x80\x9cNot applicable\xe2\x80\x9d if your post\xe2\x80\x99s requests were always funded or your post did not\n     make any formal requests.)\n\n   1. [7] Cable\n   2. [9] E-mail from OBO\n   3. [4] E-mail from DS\n   4. [4] Phone call from OBO\n   5. [1] Phone call from DS\n   6. [6] Post was not informed that a formal request was denied\n   7. [12] Other\n   8. [50] Not applicable\n\n11. Irrespective of whether your post formally requested funding for any physical security-\n    related needs, please provide the approximate total dollar amount of post funds spent in FY\n    2012 to address physical security-related needs. (Please insert the amount in the box\n    below; only select \xe2\x80\x9cNot applicable\xe2\x80\x9d if your post did not spend any of its funds for physical\n    security-related needs.)\n\n   [Responses ranged between $1,000-$2,500,000 and averaged $198,410] $                 of post\n       funds\n   [*]    Not applicable\n\n\n\n\n                                            49\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n\n12. Irrespective of whether your post formally requested funding for any physical security-\n    related needs, please provide the approximate total dollar amount spent in FY 2012 from\n    funds received from other agencies to address physical security-related needs. (Please\n    insert the amount in the box below; only select \xe2\x80\x9cNot applicable\xe2\x80\x9d if your post did not\n    formally request and did not receive any funds from other agencies.)\n\n   [Responses ranged between $15,000-$6,000,000 and averaged $1,086,421] $                  from\n       other agencies\n   [*]    Not applicable\n\n13. How adequate or inadequate are the written policies and procedures requesting funds for\n    physical security-related needs? (Please select one; only select \xe2\x80\x9cNot applicable\xe2\x80\x9d if you\n    never formally requested funds for security-related needs in FY 2012 or any other time.)\n\n   1.   [(19) 20%] Very adequate\n   2.   [(38) 40%] Somewhat adequate\n   3.   [(19) 20%] Neither adequate nor inadequate\n   4.   [(14) 15%] Somewhat inadequate\n   5.   [(6) 6%] Very inadequate\n   6.   [*] Not applicable\n\n14. To what extent, if at all, do you find the Security Equipment Responsibilities Matrix useful to\n    request funding for security-related needs? (Please select one; only select \xe2\x80\x9cNot applicable\xe2\x80\x9d\n    if you never used the matrix.)\n\n   1.   [(21) 23%] Very great use\n   2.   [(24) 26%] Great use\n   3.   [(27) 29%] Moderate use\n   4.   [(12) 13%] Some use\n   5.   [(9) 10%] Little or no use\n   6.   [*] Not applicable\n\n15. \tHow adequate or inadequate is the training for requesting funds for physical security-related\n    needs? (Please select one; only select \xe2\x80\x9cNot applicable\xe2\x80\x9d if you never received training.)\n\n   1.   [(3) 4%] Very adequate\n   2.   [(20) 25%] Somewhat adequate\n   3.   [(17) 21%] Neither adequate nor inadequate\n   4.   [(17) 21%] Somewhat inadequate\n   5.   [(24) 30%] Very inadequate\n   6.   [*] Not applicable\n\n\n\n\n                                             50\n                                        UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n16. How adequate or inadequate is the assistance for requesting funds for physical security-\n    related needs provided by the following sources of assistance. (Please select one box in\n    each row; only select \xe2\x80\x9cNA\xe2\x80\x9d for \xe2\x80\x9cNot applicable\xe2\x80\x9d if you never availed yourself of any\n    assistance from DS and/or OBO.)\n\n                                                      Neither\n     Source of         Very          Somewhat        Adequate       Somewhat        Very         Not\n     Assistance      Adequate        Adequate           nor        Inadequate    Inadequate    Applicable\n                                                    Inadequate\n    DS               [(44) 40%]      [(49) 44%]     [(11) 10%]      [(6) 5%]      [(1) 1%]         *\n    assistance\n    OBO              [(18) 17%]      [(31) 30%]     [(23) 22%]     [(19) 18%]    [(14) 13%]        *\n    assistance\n\n17. How timely or untimely is the assistance provided by the following sources during the\nprocess of requesting funds for physical security-related needs? (Please select one box in each\nrow; only select \xe2\x80\x9cNA\xe2\x80\x9d for \xe2\x80\x9cNot applicable\xe2\x80\x9d if you never availed yourself of any assistance from\nDS and/or OBO.)\n\n                                                      Neither\n     Source of    Very Timely         Timely        Timely nor     Untimely        Very          Not\n    Assistance                                       Untimely                    Untimely      Applicable\n    DS               [(33) 30%]      [(48) 44%]     [(21) 19%]      [(8) 7%]     [(0) 0%]          *\n    assistance\n    OBO              [(14) 14%]      [(27) 26%]     [(31) 30%]     [(20) 19%]    [(11) 11%]        *\n    assistance\n\n18. How clear or unclear do you find the processes to request funding for security-related needs\n    in the following categories? (Please select one box in each row; only select \xe2\x80\x9cNA\xe2\x80\x9d for \xe2\x80\x9cNot\n    applicable\xe2\x80\x9d if you never requested funds for security-related needs in FY 2012 or any other\n    time.)\n\n                                                        Neither\n                          Very         Somewhat                      Somewhat       Very         Not\n      Type of Need                                    Clear Nor\n                          Clear          Clear                        Unclear      Unclear     Applicable\n                                                        Unclear\n    Minor Physical      [(21) 21%]     [(44) 44%]     [(15) 15%]    [(17) 17%]     [(3) 3%]        *\n    Security\n    Upgrades\n    Major Physical      [(17) 18%]     [(30) 32%]     [(15) 16%]    [(21) 22%]    [(11) 12%]       *\n    Security\n    Upgrades\n    Repair and          [(18) 20%]     [(33) 36%]     [(15) 16%]    [(21) 23%]     [(4) 4%]        *\n    Improvement\n    Other Security      [(14) 16%]     [(29) 34%]     [(18) 21%]    [(22) 26%]     [(2) 2%]        *\n    Issues\n\n\n                                               51\n                                          UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n19. How easy or difficult to use do you find the process to request funding for security-related\n    needs in the following categories? (Please select one box in each row; only select \xe2\x80\x9cNA\xe2\x80\x9d for\n    \xe2\x80\x9cNot applicable\xe2\x80\x9d if you never requested any funds for security-related needs in FY 2012 or\n    any other time.)\n\n                                                    Neither\n                                     Somewhat                   Somewhat        Very         Not\n      Type of Need     Very Easy                   Easy nor\n                                       Easy                      Difficult     Difficult   Applicable\n                                                    Difficult\n    Minor Physical     [(13) 13%]    [(35) 35%]   [(28) 28%]    [(20) 20%]     [(4) 4%]         *\n    Security\n    Upgrades\n    Major Physical      [(5) 6%]     [(24) 27%]   [(31) 35%]    [(18) 20%]    [(11) 12%]        *\n    Security\n    Upgrades\n    Repair and         [(11) 13%]    [(27) 31%]   [(28) 32%]    [(18) 20%]     [(4) 5%]         *\n    Improvement\n    Other Security      [(7) 8%]     [(26) 31%]   [(29) 35%]    [(16) 19%]     [(5) 6%]         *\n    Issues\n\n20. Please provide any comments concerning the overall process for requesting funds for\n    physical security-related needs as well as any other information that you think is important or\n    pertinent. (If you choose to respond, please type in the box provided, which will expand to\n    accommodate the size of your response.)\n\n   69 responses were provided to this optional question.\n\n\n\n\n                                             52\n                                        UNCLASSIFIED\n\x0c                                 UNCLASSIFIED\n\n\n\n\n                                                                                    Appendix C\n                   Bureau of Diplomatic Security Response\n\n\n\n                                                    United States Depanment of State\n\n                                                     Il~$hinglon,   D.C. 20520\n\n                                                    www.$tllle.gov\n\nUNCLASSIF IED                                       February 21, 2014\n\nINFORMATION MEMO TOINSPEC TOR GENERAL LINICK - O IG\n\nFROM ,       DS- Q"gory B.   Sta~~~S:;:~\n                                    ~ \'" \\                 fEB Z1 2111\\\nSUBJECT: OS Comments and Responses to the DIG Audit of the Process to\nRequest and Prioritize Physical Security-Related Activities at Overseas Posts\n(AUD-FM- 14-XX, Janu"\')\' 2014)\n\n      Attached is the Bureau ofOiplomatic Security\'s response to the draft rcpon.\n\nAttachment:\n    As stated.\n\n\n\n\n                                      53 \n\n                                 UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n\n\n\n                                     UNCLASSIFI ED\n\n\n                  DS Comments to OIG Audit Draft Report\n                Audit of the Process to Request :lnd Prioritize\n             Physical Security-Related Activities at Overseas Po sts\n                                (January 2014)\n\n\n       DS appreciates the opport unity to comment on the Office of Inspector\nGeneral\'s (OIG), (Draft) Report of the Audit of the Process to Request and\nPrioritize Physical Security Activities at Overseas Posts. DS believes the\nindependent audits and analysis undertaken by OIG are valuable tools in improving\nthe perfonnanee of our programs. DS also appreciates that OIG recognized the\nBureau\'s efforts to incorporate recommendations and strengthen our programs.\n\n       On February 3, 20 14, DS requested OIG send a copy of this draft rcpOit to\neach Regional Bureau Executive (EX) office for their comments. The Regional\nBureau EX offices had le<"lse issues that arc entwined with physical security\nrecOlllIllendations. The Post Management Officers (PMOs) need to have some\nvisibi hty on fac ility recommendations. However, DS was mfonned that OIG\nwould not allow the draft report to be sent to the regional EX offices. OIG would\nonly share the drafl reports with the action bureau at this time. DS be lieves it is\nnecessary for the regional EX ofllces to provide mput and would like it noted that\nwe requested action be taken.\n\n\n\n\n                                     UNCLASSIFIED\n\n\n\n\n                                     54 \n\n                                UNCLASSIFIED\n\n\n\x0c                                UNCLASSIFIED\n\n\n\n\n\n\n                                     UNCLASSIFIED\n\n\nOS provides the following edits to the attached OIG draft audit\n\nInternational Programs Directorate/High Threa t Programs Directo rate. The\nIHtefRQtieHal \xc2\xa5!regHuHs DireeteFBle \'s mission of these directorates is to provide\nleadership, support , and oversight of overseas security and law enforcement\nprograms and related policy for the benefit of u.s. Goverrunent interests and the\ninternational community. The Directorate\' s Office of Regional Directors works to\nprovide a safe and secure environment for the conduct of u.s. foreign policy\nthrough the oversight and support of Regional Security Offices worldwide . The\nOffiee of Regional Directors oversees the work of over 700 regional security\nofficers (RSO) al over 250 posts worldwide. RSOs serve as personal security\nadvisors to the Chiefs of Mission on all security issues. RSOs are responsible for\nImplementing and managing the Department\'s security and law enforcement\nprograms abroad, and identify security needs at posts and request ftmds for those\nneeds. RSOs are residents at a particular post, but may be responsib le for other\nconstituent posts within their respective region.\n\nRecommem/(lt;olli: OIG recommends that the Bureau of Diplomatic Security, in\ncoordination with the Bureau of Overseas Buildings Operations, develop and\nimplement standard policies and procedures for requesting funds for physical\nseeurity. related needs and document the policies and procedures in a manner that\nis easily accessible by post security officials (for example, in a "physical security\nfunding handbook" ). Consideration should be given to how the SharePoint tool\ncurrently in development can be u<;ed to simplify the request processes.\n\nDS C omment: OS cUITcntly has a proccss for posts that require additional\nfunding, whether it is related to physical security, residential security, the local\nguard program, etc. The process will be clearly articulated as part of an anntml\noperating cable sent to RSOs, which is in draft. Posts, RSOs in particular, are\nll1slructed through operational cables and also through regul<lr commumc<ltions\nfrom program offices via cable, emai l, or telephone to send a front channel cable\noutlining the security requirement and include funding implications. The security\nrequirement is vetted by the appropriate DS program office and, if approved as a\nsecurity requirement, the DS office detennines whether the requirement should be\nfunded by DS or the Bureau of Overseas Buildings Operations (OBO). lffunding\nis not available, the DS office coordinates with the Office of the Chief Financial\nOfficer (DSfEXlCFO) to identify funding. DSfEXlCFO also validates the requests\nto ensure the correct State Opemtions appropriation is used . If OS believes that\nOBO, not DS, should fund , then DS/EXlCFO works with the appropriate offices\nwithin the Of11ee of the Legal Adviser and OBO\' s Office of Financial\n\n\n                                     UNCLASSIFIED\n\n\n\n\n                                     55 \n\n                                UNCLASSIFIED\n\n\n\x0c                                UNCLASSIFIED\n\n\n\n\n\n\n                                     UNCLASSIFIED\n\n\nManagement (OBOIRMIFM) to make a detennmation. DS will ensure this\nprocedure is clearly articulated to posts, including through the use of an mmual\noperating cable.\n\nRegarding SharePoint, OS uses this program fo r many tasks; however, for\nrequesting ftulding, a fonnal front eharmcl cable funding request with direct\nresponse from the appropriate OS program office and OSlCFO funding validation\narc more appropriate.\n\nReCOllllllemltllioll 3: OIG recommends that the Bureau ofOiplomatic Security\ndevelop and Implement a methodology to penodically communicate the processes\nto request funds for physical security-related needs to all post security officials.\n\nDS Commcnt: OS concurs with the OIG recommendation . OS will explore the\npossibility ofmtegrating fund ing guidance and/or a funding request process within\nour new Physical Security Survey site or Project Management Solution. OS will\nalso inelude language about requesting funds for physical security upgrades in its\nannual operating cable.\n\nRecommemltltioll 4: 0 1G recommends that the Bureau of Diplomatic Security\n(OS), in coordination with the Bureau of Overseas Buildings Operations (OBO),\ndevelop and implement a process to collect and maintain a comprehensive list of\nall posts\' physical security-related deficiencies. The list of physical security\ndeficiencies should inelude all needs, not just those that have heen approved or\ninstances of noncompliance with standards. \xc2\xb7Ine process should also require that\nthe list be ulxiatcd whcn ncw physical security deficiencies arc identified. If DS\nand OBO elect 10 use the OS SharePomt Tool as the basis /()r mamlammg a list of\nphysical-security needs, OS should ensure that OBO\' s requirements arc integrated\ninto the development of the tool and that OBO has sufficient access to the\nmfOnllation.\n\nOS Commcnt: DS concurs with the OIG recommendation . On Septem ber 16,\n2013 , OS deployed the Physical Security Survey site, which provides RSOs with\nre-designed survey templates, a sct of tools, and guidance to conduct accurate and\ncomprehensive physical security surveys. This survey sile, III addition 10 our\nProject Management Solution, will provide a comprehensive list of physical\nsecurity deficiencies. However, it should be noted the physical security\nrequirements arc based upon standards set forth by the Overseas Scclll"ity Policy\nBoard (OSPS). In circwnstanees where extraordinary measures arc recommended,\n\n\n\n                                     UNCLASSIFIED\n\n\n\n\n                                     56 \n\n                                UNCLASSIFIED\n\n\n\x0c                                UNCLASSIFIED\n\n\n\n\n\n\n                                     UNCLASSIFIED\n\n\nthese recommendations mllst be vetted at the appropriate Assistant Secretary or\nUnder Secretary level within the Department.\n\nDS believes the recommendation is very inclusive and does not take into accOWlt\nthe difference between "needs" and "wants." This would add an un-vetted request\nand labcl it as a security deficiency under a master list.\n\nOS will meet with OBO to detennine OBO requirements to be considered for\nintcgration into the new Physic.."11 Seewity Stuvey Site and business process. DS\ncannot provide a timeframe for mtegration until OBO reqUIrements are defined.\n\nRecommentltll;oll 5: OIG recommends that the Bureau of Diplomatic Security\ndevelop an nnplementalion plan for the new SharePoint physical security survey\ntool. This implementation plan should establish a reasonable deadline for all posts\nto populate the tool with m/(mnalion on physical security defiCiencies and should\nensure that the tool has the fWlc tionality needed to generate sulllcient reports ll1\norder to more easily detemline posts\' physical security needs.\n\nDS Commcnt: OS concurs with the OIG recommendation and has established an\nimplementation timeline. OS deployed the physical security stuVey site four\nmonths ago. A message was sent on the RSO console to posts worldwide\nexplaining the new tool (refer to the details in the attached doewnent). In addition,\ntraining was offered during the Bureau of Westem Hemisphere Affairs (WI-lA) and\nHigh Threat Programs (l)S!HTP) RSO conferences held in Washington.\n\nThc DS goal is to sUlVey all COM facili ties (2,000 +) within three years. The\nthree-year time frame is aligned with the ex istmg survey update cyele.\n\nRecommentltll;oll 7: OIG recommends that the Bureau of Diplomatic Security\ndevelop and Implement a fonnal standardized process to vet IIlfomlal physical\nsecurity-related fWlding requests made by posts, which would include\ndocumenting all mfonnal requests made by posts /()r physical security fundmg, not\njust the requests that have been approved, and the disposition of those requests.\n\nDS Commcnt: DS concurs with the mtent of this OIG recommendation but\nrecommends rewording the language. OS clearly states that if a post has a\nrequirement, post must send a cable. If an RSO sends an email and the program\noffice agrees with the need, the RSO should bc instructed to send a cable, per\nguidance. OS believes the language should be changed to state that OS docs not\n\n\n\n                                     UNCLASSIFIED\n\n\n\n\n                                     57 \n\n                                UNCLASSIFIED\n\n\n\x0c                                 UNCLASSIFIED\n\n\n\n\n\n\n                                      UNCLASSIFI ED\n\n\nhave "infonnal" requests and all fonnal requests, I.e., those sent V ia cable, are\nreviewed as outlined in Recommendation I.\n\nRecomme lll/alioll 9: OIG recommends that the Bureau of Diplomatic Security\n(DS) and the Bureau of Overseas Buildings Operations (OBO) better defme the\nroles and responsibilities of each bureau to ensure that both bureaus arc fully\ninvolved in the process to prioritize and ftmd physic..\'ll security necds at posts. As\npart of developing these roles and responsibilities, a process should be established\nto have a neutral party review and make decisions when disagreements arise about\nfunding decisions between OBO and OS .\n\nDS Comme nt: DS concurs with the intent of this recommendation As described\nIn the response to Recommendation I, OS and OBO \\vork collabomtively and In\nclose coordination with the Office of the Legal Adviser to ensure the proper State\nOperations appropnation is u,>ed to fund physical secunty upgrades. Moreover,\nDS and OBO strictly adhere to the "pick-and-stick" rule that appropriated fWlding\nfor a specific activity must adhere to that specified purpose, as well as to the\nregulations as codified in the FAM and FN-l.\n\n\n\n\n                                      UNCLASSIFIED\n\n\n\n\n                                      58 \n\n                                 UNCLASSIFIED\n\n\n\x0c                              UNCLASSIFIED\n\n\n\n\n                                                                                Appendix D\n            Bureau of Overseas Buildings Operations Response\n\n\n\n\n                                          United States Department of State\n\n                                          Washington, D.C. 20520\n\n\nUNCLASSIFIED\nMEMORANDUM                                     FEB 1 9 2014\n\n\n\n\nTO:           OIGI AUD - Mr. Norman Brown\n\nFROM:         OBOIRM - Jiirg HochuliJ4"\n\nSUBJECT: Draft Report on Audit of the Process to Request and Prioritize\n         Physical Security Related Activities at Overseas Posts\n\nThe Bureau of Overseas Buildings Operations (OBO) appreciates the opportunity\nto provide comments on the subject draft report.\n\nAttached are OBO\'s comments on the draft report. Our comments have been\ncoordinated with the Bureau of Diplomatic Security.\n\n\n\n\nAttachment:\n\n      As stated\n\n\n\n\n                               UNCLASSIFIED\n\n\n\n\n                                   59 \n\n                              UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\n\n\n                                   UNCLASSIFIED\n\n\n                 OBO Comments on the OIG Draft Report on\n             Audit ofthe Process to Request and Prioritize Physical\n                 Security Related Activities at Overseas Posts\n\nThe OIG requested OBO comments on the subject draft report. OBO appreciates\nthe opportunity to provide the following comments.\n\nOBO\'s Comments: The draft report contains several misleading statements\nconcerning the auditor\'s inability to determine how much was expended for\nphysical security in FY 2012. The report indicates that the Department expended\napproximately $938 million of Worldwide Security Upgrade funds, but could only\nattribute $76.1 million directly to physical security-related activities. The\nDepartment strongly disagrees with this mischaracterization of the facts. Funding\nin the Worldwide Security Upgrade account is appropriated by Congress\nspecifically and solely for the purpose of making physical security upgrades to\nexisting facilities or for the acquisition or construction of new facilities to improve\nthe security of the most vulnerable overseas posts. The Department is prohibited\nby law from using those funds for a purpose other than for security upgrades so by\ndefinition, all expenditures ofthese funds are for physical security. Therefore, the\nreport should be corrected to recognize the fact that the Department expended\napproximately $938 million of Worldwide Security Upgrade funds for physical\nsecurity-related activities, including the acquisition and construction of new\nfacilities.\n\nThe report makes several references to spending for security upgrades from\naccounts such as R&I and Major Rehabilitation and includes statements such as\n"Because R&I expenditures were recorded using R&! function code, the physical\nsecurity expenditures could not be accounted for separately" or" ... because\nphysical security components are included as part of the overall project, the\nphysical security expenditures cannot be identified separately by function\ncode ... " Such statements can be interpreted to imply that OBO did not properly\naccount for the physical security costs or that there is a deficiency in the\nDepartment\'s account structure. In fact, those costs were accounted for\nappropriately.\n\nThe Compound Security Program exists specifically to fund physical security\nupgrade projects, but it is not the only account from which security work may be\nfunded. As the report mentions, repairs to building systems or structures are\nfunded from the R&! account and it is a legitimate use of R&I funds to apply them\n\n                                   UNCLASSIFIED\n\n\n\n\n                                       60 \n\n                                  UNCLASSIFIED\n\n\n\x0c                                UNCLASSIFIED\n\n\n\n\n\n                                 UNCLASSIFIED\n\n\nto a repair of a wall, door, or window. Similarly, the Major Rehabilitation\nProgram funds comprehensive renovation projects that may include physical\nsecurity enhancements. All expenditures for these projects are correctly charged to\nthe R&I or Major Rehab function codes, regardless of the specific scopes of work\nor what building systems are being worked on. The security components are not\naccounted for separately, and neither is the electrical, plumbing, or structural\nwork. For management and reporting purposes, the tracking of spending is done at\nthe project and function code level and the Department has no need or ability to\ntrack costs for every type of work that may be included in a project.\n\nOIG Statement on Page 12: The OIG states on page 12 that "In addition to the\nexpenditures for the three Worldwide Security Upgrade Programs, Kearney\nidentified expenditures of approximately $26.9 million for other items."\n\nOBO\'s Comments: The $26.9 million figure includes $20.5 million of ICASS\ncharges, likely from ICASS services on NEC and rehab projects.\n\nOIG Statement on Page 13: The OIG states on page 13 "Because R&I\nexpenditures were recorded using the R&I function code, the physical security\nexpenditures could be identified separately."\n\nOBO\'s Comments: Code should be codes as there is more than one R&I\nfunction code. Secondly, as noted above, the security components are not\naccounted for separately. For management and reporting purposes, the\ntracking of spending is done at the project and function code level and the\nDepartment has no need or ability to track costs for every type of work that\nmay be included in a project.\n\nOIG Statement on Page 14: OIG states on page 14 that .. . "OS has used\nWorldwide Security Protection funds for physical security related projects when\nthe projects were not funded by OBO .. . For example, OS had provided Worldwide\nSecurity Protection funds totaling $259,920 in FY 2012 for six physical security\nprojects relating to perimeter and internal security in Libya, Saudi Arabia, and\nYemen."\n\nOBO\'s Comments: This implies that the costs should have been OBO costs.\nWhile we do not have the specific details, DS provided funding in FY 2012 for\nthe Sanaa residential security upgrade, as well as upgrades at temporary\nmission facilities, using the correct DS funding. Same comment on page 30,\n\n                                 UNCLASSIFIED\n                                                                                  2\n\n\n\n\n                                     61 \n\n                                UNCLASSIFIED\n\n\n\x0c                               UNCLASSIFIED\n\n\n\n\n\n\n                                  IJNCI,ASSIFIED\n\n\nthe funding was for the temporary mission facilities , again usin g the correct\n(DS) fundin g.\n\nOIG Statement on Page 21: OIG states on page 21 that, "Further, 40 respondents\n(30 percent) stated that their posts used post funds ranging from $ 1,000 to $2.5\nmillion for physical security needs in FY 2012 rather than submitting a fonnal\nrcquc>;t for funding "\n\nOBO\'s Comments: Thc report notcs that OBO and DS stated this would be in\nviolation of appropriation law. It is specul ation without knowing the posts in\nquestion , but It more likely answer (since the sun\'cy went only to security\nofficers and not financ e officcrs) is that the survey responses were in error.\nFinance is not so mething RSOs specia lize in , nor should they. They often\nrefer to fundin g sent by OBO as "DS fundin g". Thc wonling of the question\ncould also have co ntributed to the responses (see OBO Co mm ents to\nQuestionnaire Question 11 below. see p:lge 5).\n\nOIG Statement on Page 23: OIG states on page 23 that ... "Instead flU1ding\ndecisions were often made by one i.ndividual without documented standards and\nguidance."\n\nOBO\'s Comments: Funding decisions (determining the appropriate funding\nsourcc for proposed sccurity upg rades) arc hased on the funding\nresponsibilitie~ outlined in 15 FAM 165. In addition, OBO would like to note\nthat thcre is an OBO-DS Physical Security Res ponsihility Matrix that was\napproved by VIS Kennedy. This document describes which office/Bureau is\nres ponsible for fundin g a nd unde rtakin g repa irs andlor maintenance of\nphys ical security equipment at posts thereby guiding fund ing decisio ns.\n\nOIG Statement on Page 23: OIG slates 0 11 p<lge 23 th<lt \'\'Neither OS nor aBO had\ndeveloped a comprehensive long-range physiC<l1 security plan that would help\nfocus attention on critical needs. "\n\nOBO\'s Comments: OBO would like to note that OBO\'s Long-Range Plan\nwhich is made avail:lble to all posts includes Com pound Security Program\nproject details and funding totals for each po st, where applicable.\n\nOIG Statement on Page 27: The OIG states on page 27 "Kearney also identified an\nIllstance where a post that was ranked III the top 15 percent of the most vulnerable\n\n                                  UNCLASSIFIED\n                                                                                    3\n\n\n\n\n                                    62 \n\n                               UNCLASSIFIED\n\n\n\x0c                               UNCLASSIFIED\n\n\n\n\n\n\n                                 IJNCI ,ASSIFIED\n\n\nposts on the OS Risk Matn x ,>vas not scheduled for an upgrade until FY 2017,\nwhile 25 of the 29 posts seheduled ... were rank ed lower. "\n\nOBO\' s Comments : The po st at issue is a low risk post which is considered in\nour assessment of the vulnerabilities. The main facilities have very little\nsetback, and there has been a succession of projects to improve the security\nsituation as much as possible, given the location. Th ere was a PAC project in\n2005, and there were barriers, booths, and knee wall projects around 2009.\nAs WIIS noted specifically on this post and projects in the inten\' iews, we arc\ncurrently working with post on safe area projec l~ in the main and leased office\nspace, but most of what can be done with the existing facility has already been\ndone. It is not being ignored, but there is little more that can be done.\n\nOIG Slatement on Page 28: The OIG states on page 28 Ihal ... "Area Managemenl\nOfficers within OBO\' s OlTIce of Area Management score the requests by assignmg\n\\veighted factors to 12 specific critena ..\n\nOBO\' s Comments: 080 uses 14 specific criteria, not 12.\n\nO IG Statement on Page 30: The OIG states on page 30 ... "OS officials requested\nthat OBO fund barriers 10 block off the road leading to the chancery entrance.\nHowever, OBO did not fund the request because the barriers would be placed\noutside the perimeter of the compound and were therefore not required by OSPB\nstandards."\n\nOBO\' s Co mmenh : The po st in question is II fully OSPB-complillnt NEC, and\nthe initial plan was to construct a diplomatic enclave by installin g barriers on\npublic roads approaching our compound and enclosing numerous missions in\nthe area. Nonetheless, once the details of the project were worked out, it was\nfunded in NOl\'ember 2012.\n\nO IG Statement on Page 30: The OIG also states on page 30, "However, when\nOBO does decline to fund physical security needs thaI O S considers essential, it\ncan be difticult for OS to address the deficiency. If OS considers the deficiency\nsignificant, the Desk Officers attempt to identify available funding that can be\nused . For instance, in FY 2012, the Office of Physical Security Programs fWlded\nsix physical security projects, totaling $259,820, that were related to perimeter\nsecurity."\n\n\n                                 UNCLA SSIFIED\n                                                                                    4\n\n\n\n\n                                    63 \n\n                               UNCLASSIFIED\n\n\n\x0c                                 UNCLASSIFIED\n\n\n\n\n\n                                  UNCLASSIFIED\n\n\nand received. The independent clause - "please provide the approximate total\ndollar amount of post funds spent in FY 2012 to address physical security\xc2\xad\nrelated needs" likely included physical security funding provided to posts.\n\nOBO Comments on the Recommendations:\n\nRecommendation I: OIG recommends that OS in coordination with OBO. develop\nstandard policies and procedures for requesting funds for physical security related\nneeds and document the policies and procedures.\n\nOBO\'s Comments: The recommendation should be changed slightly to " ...\npolicies and procedure for requesting physical secnrity upgrades and\ndocument the policies and procedures ... " The distinction is needed since\nfunding is near the end ofthe process - first the need has to be identified,\nscoped, possibly designed, etc. before a funding action is needed.\n\nRecommendation 2: OIG recommends that the OBO develop and implement a\nprocess to respond to posts\' formal requests for physical security-related funding,\nwhich should include commitments to respond within certain timeframes.\n\nOBO\'s Comments: OBO concurs, noting that funding will be part of the\noverall process developed in Recommendation 1.\n\nRecommendation 4: OlG recommends that the Bureau of Diplomatic Security\n(OS), in coordination with the Bureau of Overseas Buildings Operations (OBO),\ndevelop and implement a process to collect and maintain a comprehensive list of\nall posts\' physical security-related deficiencies. The list of physical security\ndeficiencies should include all needs, not just those that have been approved or\ninstances of noncompliance with standards. The process should also require that\nthe list be updated when new physical security deficiencies are identified. If OS\nand OBO elect to use the OS SharePoint Tool as the basis for maintaining a list of\nphysical-security needs, OS should ensure that OBO\'s requirements are integrated\ninto the development of the tool and that OBO has sufficient access to the\ninformation.\n\nOBO\'s Comments: The list of physical security deficiencies should consist of\nvalid deficiencies vetted by DS against the appropriate OSPB physical\nsecurity standards. This will provide a validated universe of requirements to\nbe addressed, with new valid requirements added as they are identified.\n\n                                  UNCLASSIFIED\n                                                                                      6\n\n\n\n\n                                      65 \n\n                                 UNCLASSIFIED\n\n\n\x0c                                UNCLASSIFIED\n\n\n\n\n\n                                  UNCLASSIFIED\n\n\n\nOBO\'s Comments: The six projects were properly funded by OS with OS\nfunds. Sanaa was residential security upgrades to a STL property.\n\nOIG Statement on Page 32: The OIG also states on page 32 that .. . "OBO\ndeveloped and issued a Long-Range Plan that provided detailed infonnation post\nby post on new construction projects and needed repairs and improvements."\n\nOBO\'s Comments: As noted previously, the Long-Range Plan which is made\navailable to all posts also includes Compound Security Program project\ndetails and funding totals post by post, where applicable.\n\nOBO Comments on Ouestionnaire:\n\nIt is difficult to address the conclusions from the questionnaire data without\nknowing the specific posts and issues. For example, "formal requests" would\ntypically be via cable. Absent more specific information, we cannot determine\nwhether the "denial" was by OS or OBO, or the reason for the denial of\nspecific individual items.\n\nSince the posts that responded to the questionnaire stated that they have\npending security upgrade needs, the specific posts should be identified to OBO\nand OS for immediate follow-up to help identify and address existing\nvulnerabilities.\n\nOIG Ouestionnaire Ouestion 4: What was the reason for physical security related\nneeds for your post?\n\nOBO\'s Comments: The second most common answer was "\'normal\ndeterioration of the facility". It is unclear how this is physical security related\n- absent more specific information.\n\nOIG Ouestionnaire Ouestion 11: Irrespective of whether your post fonnally\nrequested funding for any physical security-related needs, please provide the\napproximate total dollar amount of post funds spent in FY 2012 to address physical\nsecurity-related needs.\n\nOBO\'s Comments: Given the large dollar amounts reported, it is likely that\nthe reported totals include security upgrade funding that post had requested\n\n                                 UNCLASSIFIED\n                                                                                  5\n\n\n\n\n                                     64 \n\n                                UNCLASSIFIED\n\n\n\x0c                                 UNCLASSIFIED\n\n\n\n\n\n                                  UNCLASSIFIED\n\n\n\nRecommendation 6: OIG recommends that the Bureau of Overseas Buildings\nOperations develop and implement a formal process to document all formal\nrequests made by posts for physical security funding, not just the requests that have\nbeen funded or approved, and the disposition of those requests.\n\nOBO\'s Comments: OBO concurs, noting that funding will be part of the\noverall process developed in Recommendation 1.\n\nRecommendation 8: OIG recommends that the Bureau of Overseas Buildings\nOperations, in coordination with the Bureau of Diplomatic Security, develop and\nimplement formal standardized processes to prioritize physical security-related\ndeficiencies at posts by category, such as major physical security upgrades, forced\xc2\xad\nentry/ballistic-resistant projects, and minor physical security upgrades. The\nprioritizations should be performed based on a comprehensive list of all physical\nsecurity needs and should be periodically updated based on changes in risk factors\nor posts\' needs. The processes used to perform the prioritizations should be\ndocumented and repeatable. In addition, in developing the processes,\nconsideration should be given to how the Overseas Security Policy Board\nstandards will be utilized, what risk factors will be considered, and what impact\nupcoming major rehabilitation projects or new construction would have on the\nprioritized rankings.\n\nOBO\'s Comments: OBO concurs, with the same comment as\nRecommendation 4 - the prioritization should be performed on a\ncomprehensive list of DS validated deficiencies.\n\nRecommendation 9: OIG recommends that the Bureau of Diplomatic Security\n(DS) and the Bureau of Overseas Buildings Operations (OBO) better define the\nroles and responsibilities of each bureau to ensure that both bureaus are fully\ninvolved in the process to prioritize and fund physical security needs at posts. As\npart of developing these roles and responsibilities, a process should be established\nto have a neutral party review and make decisions when disagreements arise about\nfunding decisions between OBO and DS.\n\nOBO\'s Comments: OBO concurs with the exception of the neutral party. We\ndo not think there are, or have been, "funding decisions" that could not be\nresolved within and between OBO and DS. If it really reached that level, M\nwould decide.\n\n                                  UNCLASSIFIED\n                                                                                       7\n\n\n\n\n                                      66 \n\n                                 UNCLASSIFIED\n\n\n\x0c                               UNCLASSIFIED\n\n\n\n\n\n                                UNCLASSIFIED\n\n\n\nRecommendation 10: OIG recommends that the Bureau of Overseas Buildings\nOperations, in coordination with the Bureau of Diplomatic Security, develop and\nissue a Long-Range Physical Security Plan,\n\nOBO\'s Comments: OBO does not concur. OBO\'s Long-Range Plan which is\nmade available to all posts includes Compound Security Program project\ndetails and funding totals post by post, where applicable.\n\n\n\n\n                                 UNCLASSIFIED\n                                                                                  8\n\n\n\n\n                                    67 \n\n                               UNCLASSIFIED\n\n\n\x0c'